Experience with Tripwire:

Using Integrity Checkers for

Intrusion Detection

by Gene H. Kim and Eugene H. Spafford

10/06
 Presentation Outline

 Motivation for Tripwire

 Tripwire design
 Experiences
 Conclusion

10/06
 Motivation - A Scary Story
 Ellen is system admin for large network
 Ellen realizes someone has logged on as
root on several machines
 Sneaky intruder deleted all accounting &
auditing files before logging out
 Ellen’s concern:
– Did intruder leave a backdoor (for re-entry)?
– Was sensitive information compromised?

10/06
 Security Policy - Integrity of Data

 Assure that file data (in permanent

storage) are not altered except by those
authorized to do so

 More precisely, assure that if a file is

altered improperly, that the alteration can
be detected

10/06
 Tripwire
 Gives system admins ability to monitor
for added, deleted & modified files
 Checks for changes in file attributes, e.g.:
– size,
– access & modification timestamps,
– permissions,
– inode number
– signature (more on signature later)

10/06
 Ellen’s Challenge
 How does Ellen determine which (if any!)
files have been altered w/o authorization?
 Tens of thousands of files in dozens of
gigabytes of disk on dozens of different
architectures
 Ellen needs to examine every file as well
as check for deleted or added files

10/06
 Checking Techniques
 Established techniques: maintaining
checklists, comparison copies, checksum
records or backup tapes
 These methods are costly, prone to error
and susceptible to easy spoofing
 Intruders w/ root privileges can alter
checklists or compromise utilities (eg “ls”
 Changes to a file can be made w/out
changing its length or checksum!
10/06
 Define Integrity of File Data
 Can we define a notion of the integrity of
both data and the file structure (including
directories) in which that data is stored?
 Define it as a set of characteristics
 Monitor change of those characteristics
 Tripwire system is said to “enforce the
integrity of file system” if unauthorized
change to characteristics is detected

10/06
 The Ideal Integrity Checker ...
 High level of automation
 Simple description of attributes of the
file system that are monitored/checked
 Easy way to update database used to
control monitoring - small changes
shouldn’t require massive regeneration
 Automate regular checks (use UNIX
scheduler, cron); allow manual checks
10/06
 Ideal Integrity Checker cont.

 Generate output that’s easy to scan

 Allow specification of file system
“exceptions” that are NOT reported
 Allow reuse and sharing of configuration
files (for networks of lots of machines
that differ only slightly)

10/06
 Tripwire Program Inputs
 Configuration file (tw.config)
– list of files & directories to be monitored
– their associated selection mask (list
attributes that can safely be ignored)
 Database file --describes each “file” –
automatically generated
– set of file names, inode attribute values,
signature info., associated tw.config entry

10/06
 Selection Mask
Example: +pinugsm12-a
permission and modes inode number

number of links user id group id

size of the file modification timestamp

signature 1 signature 2 access timestamp

Flag for each distinct field in an inode

+  report change -  ignore the field

10/06
 Tripwire Component Overview
newly
generate
generated
database

apply Tripwire
compare
ignore-masks report

old
tw.config
database
file

Files residing on system

10/06
 Database Initialization Mode
 Tripwire generates baseline database file
based on tw.config
 tw.config indicates
– files to monitor
– files to ignore (e.g. no recursion below
directory with name “DDD”)
– whether to ignore file size change (e.g.
ignore increase in log files, but report
decrease!!!)

10/06
 Integrity Checking Mode

 Generate new database

 Compare new database with baseline db
 Produce report of added & deleted files
 Apply selection mask to modified files

10/06
 Signature Support
 For each file – up to 10 signatures
 What’s a signature?
 Any pattern that “represents” the file
– By default, MD5 and Snefru signatures are
recorded and checked for each file

10/06
 Supported Platforms
 Windows NT, version 4.0
 Solaris (SPARC), versions 2.6, 7.0
 Solaris (Intel), version 2.6, 7.0
 HP-UX, versions 10.20, 11.00
 IBM AIX, versions 4.2, 4.3
 SGI Irix, version 6.5
 Compaq TRU64 UNIX, version 4.0
 Linux
10/06
 Sample Ouput
: ### Phase 1: Reading configuration file
: ### Phase 2: Generating file list
: ### Phase 3: Creating file information database
: ### Phase 4: Searching for inconsistencies
: ###
: ### Total files scanned: 5143
: ### Files added: 0
: ### Files deleted: 0
: ### Files changed: 5
: ###
: ### Total file violations: 5

10/06
 Sample Output Cont.
changed: -rw-r--r-- root 3384 Jan 12 14:39:27 2000
/etc/dfs/dfstab
Phase 5: Generating observed/expected pairs for changed files
Attr Observed (what it is) Expected (what it should be)
/etc/dfs/dfstab
st_size: 3384 3623
st_mtime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003
st_ctime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003
md5 (sig1): 3TZThlJJb5piwca4EHUnRy
2nGPSAY1loE5vlS.D1qhHL
snefru (sig2): 1uKAb7andEuQOzAyXnFcfR
0hl1UxAEzEILB8jXtDsx4G

10/06
 Conclusion
 Portable
 Self-contained
 Adaptable to large and small sites
 Very restricted in what it sees -- only OS
attribute changes of files
 It has no clue as to what users are
actually doing!

10/06
 The End

10/06
 Templates
– read-only files: Only the access timestamp
is ignored.
– log files: Changes to the file size, access
and modification timestamp, and
signatures are ignored.
– growing log files: Same flags as log files
except increasing files sizes are ignored.
– ignore nothing
– ignore everything

10/06
 Example tr.config
# file/dir selection-mask
/etc R # all files under /etc
@@ifhost solaria.cs.purdue.edu
!/etc/lp # except for SVR4 printer logs
@@endif
/etc/passwd R+12 # you can’t be too careful
/etc/mtab L #dynamic files
/etc/motd L
/etc/utmp L
=/var/tmp R # only the directory, not its contents
10/06
 You use Tripwire for what?
 Many system admin. use Tripwire as a
tool to enforce local policy - changes by
one system admin. is noticed quickly by
others
 Tripwire helps salvage file systems not
completely repaired by fsck - program
that ensures consistency between file
data and their inodes
– a file can be rebound to its original name by
searching the database for a matching
10/06
signature
 Stealth-Tripwire

 Several system admins. have tried very

hard to conceal their use of Tripwire and
don’t run it through programs like cron
 Authors disagree - advertising the use
of Tripwire (even if not true) could help
avert attacks

10/06
 Paranoia

 Tripwire is designed to run on a regular

basis, such as daily
 Two reported cases of Tripwire being
run hourly - not a good idea
 Good paranoia - “plant” files on the
system, such as master-passwords -
prime targets for intruders

10/06
 Portability
 Tripwire reported to be running on 28
different UNIX platforms
 Only 8 example tw.config files
necessary
 Authors receive requests to help system
admins. compile Tripwire on machines
they have never heard of - such as one
only sold in Australia that came with
incorrect system libraries
 Often, a group of system admins. with
10/06 similarly “orphaned” machines will put
 You Added WHAT to Tripwire?
 Authors received a report from a user
who is adding support for Intel
machines running UNIX to allow
Tripwire to check mounted MSDOS file
systems

10/06
 Mega & Micro - Tripwire

 Many system administrators of large

sites create one configuration file to be
shared by all machines, using the
@@ifhost directive to segregate non-
common file groups
 A configuration file consisting solely of
“/” has proved adequate for some
system administrators of smaller sites
10/06
 CS Dept. & Tripwire
 Tripwire runs on all essential servers
every night
 Scripts were written to run Tripwire on
all the various servers, gather the
results, and send them by email to the
system admins.
 Very usable out-of-the-box, took a staff
member only 10 hours to set up
 Installed for 9 months - haven’t seen
10/06
anything suspicious, Paco occasionally
 Interactive Database Update

 Tripwire generates list of all changes

(ala integrity checking mode)
 Tripwire asks system admin. to specify
which entries to update in the database
file

10/06
 Database Update Mode

 Tripwire regenerates database entries

for a list of files or configuration entries
given on the command line
 Tripwire instructs system admin to move
new database to secure media

10/06
 Configurability Aids
 Preprocessor support allows system
admin. to write configuration files that
support numerous configurations of
machines
– Note: Machines that share a configuration
file still generate their own database files
 Prefixes to the tw.config allow for
pruning - a directory and/or its contents
can be excluded from monitoring
10/06
 Configurability Aids (Cont.)
 Example selection mask: +pinugsm12-a
– “Report changes in permission and modes,
inode number, number of links, user id,
group id, size of the file, modification
timestamp, and signatures 1 and 2.
Disregard changes to access timestamp.”
 Templates allow system admin. to
quickly classify files into categories that
use common sets of flags
10/06
 Good News
 Seven reported cases of Tripwire
alerting system administrators to
intruders
 Dozens of cases of Tripwire being used
as a system admin. enforcement tool
 One reported case of Tripwire detecting
a failing disk

10/06
 Where are the Bad Guys?
 Out of thousands of machines running
Tripwire, why only 7 Tripwire-discovered
breakins in two years?
– Intruders have given up? Don’t you wish!
– Sites running Tripwire aren’t interesting?
Nope
– Site admins aren’t telling? Maybe
– Tripwire sites are more security-conscious?
Maybe
10/06
 Bad Guys (Cont.)
 Sites have already been attacked
– maybe baseline databases are being
generated on machines that have already
been compromised
 Intruders have completely subverted
integrity checking schemes
– it would be very hard for an intruder to
alter a file in a way that it preserves its
original signature
10/06