Experience with Tripwire:

Using Integrity Checkers for

Intrusion Detection
by Gene H. Kim and Eugene H. Spafford

10/06

Presentation Outline

Motivation for Tripwire

Tripwire design
Experiences
Conclusion

10/06

Motivation - A Scary Story

Ellen is system admin for large network

Ellen realizes someone has logged on as
root on several machines
Sneaky intruder deleted all accounting &
auditing files before logging out
Ellens concern:
Did intruder leave a backdoor (for re-entry)?
Was sensitive information compromised?

10/06

Security Policy - Integrity of Data

Assure that file data (in permanent

storage) are not altered except by those
authorized to do so

More precisely, assure that if a file is

altered improperly, that the alteration can
be detected

10/06

Tripwire

Gives system admins ability to monitor for

added, deleted & modified files
Checks for changes in file attributes, e.g.:
size,
access & modification timestamps,
permissions,
inode number
signature (more on signature later)

10/06

Ellens Challenge

How does Ellen determine which (if any!)

files have been altered w/o authorization?
Tens of thousands of files in dozens of
gigabytes of disk on dozens of different
architectures
Ellen needs to examine every file as well
as check for deleted or added files

10/06

Checking Techniques

Established techniques: maintaining checklists,

comparison copies, checksum records or backup
tapes
These methods are costly, prone to error and
susceptible to easy spoofing
Intruders w/ root privileges can alter checklists or
compromise utilities (eg ls
Changes to a file can be made w/out changing its
length or checksum!

10/06

Define Integrity of File Data

Can we define a notion of the integrity of

both data and the file structure (including
directories) in which that data is stored?
Define it as a set of characteristics
Monitor change of those characteristics
Tripwire system is said to enforce the
integrity of file system if unauthorized
change to characteristics is detected

10/06

The Ideal Integrity Checker ...

High level of automation

Simple description of attributes of the file
system that are monitored/checked
Easy way to update database used to
control monitoring - small changes
shouldnt require massive regeneration
Automate regular checks (use UNIX
scheduler, cron); allow manual checks

10/06

Ideal Integrity Checker cont.

Generate output thats easy to scan

Allow specification of file system
exceptions that are NOT reported
Allow reuse and sharing of configuration
files (for networks of lots of machines
that differ only slightly)

10/06

Tripwire Program Inputs

Configuration file (tw.config)

list of files & directories to be monitored
their associated selection mask (list
attributes that can safely be ignored)

Database file --describes each file

automatically generated
set of file names, inode attribute values,
signature info., associated tw.config entry

10/06

Selection Mask
Example:

+pinugsm12-a

permission and modes

number of links

user id

size of the file

signature 1

inode number
group id
modification timestamp

signature 2

access timestamp

Flag for each distinct field in an inode

+ report change
10/06

ignore the field

Tripwire Component Overview

generate

newly
generated
database

compare

tw.config
file

old
database

Files residing on system

10/06

apply
ignore-masks

Tripwire
report

Database Initialization Mode

Tripwire generates baseline database file

based on tw.config
tw.config indicates
files to monitor
files to ignore (e.g. no recursion below
directory with name DDD)
whether to ignore file size change (e.g. ignore
increase in log files, but report decrease!!!)

10/06

Integrity Checking Mode

Generate new database

Compare new database with baseline db
Produce report of added & deleted files
Apply selection mask to modified files

10/06

Signature Support

For each file up to 10 signatures

Whats a signature?
Any pattern that represents the file
By default, MD5 and Snefru signatures are
recorded and checked for each file

10/06

Supported Platforms

Windows NT, version 4.0

Solaris (SPARC), versions 2.6, 7.0
Solaris (Intel), version 2.6, 7.0
HP-UX, versions 10.20, 11.00
IBM AIX, versions 4.2, 4.3
SGI Irix, version 6.5
Compaq TRU64 UNIX, version 4.0
Linux

10/06

Sample Ouput
: ### Phase 1:
: ### Phase 2:
: ### Phase 3:
: ### Phase 4:
: ###
: ###
: ###
: ###
: ###
: ###
: ###

10/06

Reading configuration file

Generating file list
Creating file information database
Searching for inconsistencies
Total files scanned:
Files added:
Files deleted:
Files changed:

5143
0
0
5

Total file violations:

Sample Output Cont.

changed: -rw-r--r-- root
3384 Jan 12 14:39:27 2000
/etc/dfs/dfstab
Phase 5: Generating observed/expected pairs for changed files
Attr
Observed (what it is)
Expected (what it should be)
/etc/dfs/dfstab
st_size:
3384
3623
st_mtime: Wed Jan 12 14:39:27 2004
Tue Dec 14 12:22:20 2003
st_ctime: Wed Jan 12 14:39:27 2004
Tue Dec 14 12:22:20 2003
md5 (sig1): 3TZThlJJb5piwca4EHUnRy
2nGPSAY1loE5vlS.D1qhHL
snefru (sig2): 1uKAb7andEuQOzAyXnFcfR
0hl1UxAEzEILB8jXtDsx4G

10/06

Conclusion

Portable
Self-contained
Adaptable to large and small sites
Very restricted in what it sees -- only OS
attribute changes of files
It has no clue as to what users are
actually doing!

10/06

The End

10/06

Templates
read-only files: Only the access timestamp is
ignored.
log files: Changes to the file size, access and
modification timestamp, and signatures are
ignored.
growing log files: Same flags as log files except
increasing files sizes are ignored.
ignore nothing
ignore everything

10/06

Example tr.config
# file/dir
selection-mask
/etc R
# all files under /etc
@@ifhost solaria.cs.purdue.edu
!/etc/lp
# except for SVR4 printer logs
@@endif
/etc/passwd R+12 # you cant be too careful
/etc/mtab
L
#dynamic files
/etc/motd
L
/etc/utmp
L
=/var/tmp
R
# only the directory, not its contents

10/06

You use Tripwire for what?

Many system admin. use Tripwire as a tool

to enforce local policy - changes by one
system admin. is noticed quickly by others
Tripwire helps salvage file systems not
completely repaired by fsck - program that
ensures consistency between file data and
their inodes
a file can be rebound to its original name by
searching the database for a matching
signature

10/06

Stealth-Tripwire

Several system admins. have tried very

hard to conceal their use of Tripwire and
dont run it through programs like cron
Authors disagree - advertising the use
of Tripwire (even if not true) could help
avert attacks

10/06

Paranoia

Tripwire is designed to run on a regular

basis, such as daily
Two reported cases of Tripwire being
run hourly - not a good idea
Good paranoia - plant files on the
system, such as master-passwords prime targets for intruders

10/06

Portability

Tripwire reported to be running on 28 different

UNIX platforms
Only 8 example tw.config files necessary
Authors receive requests to help system admins.
compile Tripwire on machines they have never
heard of - such as one only sold in Australia that
came with incorrect system libraries
Often, a group of system admins. with similarly
orphaned machines will put together a patch

10/06

You Added WHAT to Tripwire?

Authors received a report from a user

who is adding support for Intel
machines running UNIX to allow
Tripwire to check mounted MSDOS file
systems

10/06

Mega & Micro - Tripwire

Many system administrators of large

sites create one configuration file to be
shared by all machines, using the
@@ifhost directive to segregate noncommon file groups
A configuration file consisting solely of
/ has proved adequate for some
system administrators of smaller sites

10/06

CS Dept. & Tripwire

Tripwire runs on all essential servers every night

Scripts were written to run Tripwire on all the
various servers, gather the results, and send
them by email to the system admins.
Very usable out-of-the-box, took a staff member
only 10 hours to set up
Installed for 9 months - havent seen anything
suspicious, Paco occasionally checks to make
sure it still runs at night

10/06

Interactive Database Update

Tripwire generates list of all changes

(ala integrity checking mode)
Tripwire asks system admin. to specify
which entries to update in the database
file

10/06

Database Update Mode

Tripwire regenerates database entries

for a list of files or configuration entries
given on the command line
Tripwire instructs system admin to
move new database to secure media

10/06

Configurability Aids

Preprocessor support allows system admin.

to write configuration files that support
numerous configurations of machines
Note: Machines that share a configuration file
still generate their own database files

Prefixes to the tw.config allow for pruning a directory and/or its contents can be
excluded from monitoring

10/06

Configurability Aids (Cont.)

Example selection mask: +pinugsm12-a

Report changes in permission and modes,
inode number, number of links, user id, group
id, size of the file, modification timestamp, and
signatures 1 and 2. Disregard changes to
access timestamp.

Templates allow system admin. to quickly

classify files into categories that use
common sets of flags

10/06

Good News

Seven reported cases of Tripwire

alerting system administrators to
intruders
Dozens of cases of Tripwire being used
as a system admin. enforcement tool
One reported case of Tripwire detecting
a failing disk

10/06

Where are the Bad Guys?

Out of thousands of machines running

Tripwire, why only 7 Tripwire-discovered
breakins in two years?
Intruders have given up? Dont you wish!
Sites running Tripwire arent interesting? Nope
Site admins arent telling? Maybe
Tripwire sites are more security-conscious?
Maybe

10/06

Bad Guys (Cont.)

Sites have already been attacked

maybe baseline databases are being
generated on machines that have already
been compromised

Intruders have completely subverted

integrity checking schemes
it would be very hard for an intruder to
alter a file in a way that it preserves its
original signature

10/06