TRIPWIR

THE FILE INTEGRITY MONITERING SYSTEMS

INTRODUCTION

Created by Gene Kim and Dr. Eugene

Spafford in the year 1992.
It is a file integrity monitoring system.
Mainly used in intrusion detection.
Other by-products includes patch
management and change
management.
Helps in configuration audit and
control.

STORY OF TRIPWIRES CREATION

ADMINISTRATORS CHALLENGES

How does administrator determine

which (if any!) files have been altered
without authorization?
Tens of thousands of files in dozens of
gigabytes of disk on dozens of different
architectures.
Administrator needs to examine every
file as well as check for deleted or
added files.

SECURITY POLICY - INTEGRITY OF DATA

Assure that file data (in permanent

storage) are not altered except by
those authorized to do so.

More precisely, assure that if a file is

altered improperly, that the alteration
can be detected.

CHECKING TECHNIQUES

Established techniques are maintaining

checklists, comparison copies, checksum
records or backup tapes.
These methods are costly, prone to error
and susceptible to easy spoofing.
Intruders with root privileges can alter
checklists or compromise utilities.
Changes to a file can be made without
changing its length or checksum!

HOW TRIPWIRE COMES TO RESCUE

TRIPWIRE INPUTS THESE DATA

Configuration file (tw.config)

list of files & directories to be monitored.

their associated selection mask (list
attributes that can safely be ignored).

Database file which describes each

file automatically generated on the
basis of object properties.

SELECTION MASK
Example:

+pinugsm12-a

permission
permission
and
and
modes
modes
inode
inode
number
number

access
access timestamp
timestamp

number
number of
of links
links

signature
signature 2
2

user
user id
id
group
group id
id

size
size of
of the
the file
file modification
modification timestamp
timestamp signature
signature 1
1

Flag for each distinct field in an inode

+ report change

ignore the field

WORKING OF TRIPWIRE

TRIPWIRE COMPONENT OVERVIEW

DATABASE INITIALIZATION MODE

Tripwire generates baseline database

file based on tw.config
tw.config indicates

files to monitor
files to ignore (e.g. no recursion below
directory with name DDD)
whether to ignore file size change (e.g.
ignore increase in log files, but report
decrease!!!)

INTEGRITY CHECKING MODE

Generate new database

Compare new database with baseline
db
Produce report of added & deleted files
Apply selection mask to modified files

SAMPLE OUTPUT

OTHER THINGS ABOUT TRIPWIRE

PROPERTIES OF TRIPWIRE

Portable
Self-contained
Adaptable to large and small sites
Very restricted in what it sees -- only
Operating System attribute changes of
files.
It has no clue as to what users are
actually doing!

WHAT CAN RUN TRIPWIRE?

Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1,

5.1A & 5.1B
FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3
HP-UX 10.20, 11.0, 11i v1 & 11i v2
IBM AIX 4.3.3, 5.1, 5.2 & 5.3
Linux (kernel 2.2 and glibc 2.x or higher)
Red Hat Enterprise Linux 3 & 4 AS, WS & ES
Solaris (SPARC) 2.6, 7, 8, 9 & 10
Windows NT 4.0, 2000, 2003 & XP Pro

THANK YOU