Beruflich Dokumente
Kultur Dokumente
10/06
Presentation Outline
10/06
Motivation - A Scary Story
Ellen is system admin for large network
Ellen realizes someone has logged on as
root on several machines
Sneaky intruder deleted all accounting &
auditing files before logging out
Ellen’s concern:
– Did intruder leave a backdoor (for re-entry)?
– Was sensitive information compromised?
10/06
Security Policy - Integrity of Data
10/06
Tripwire
Gives system admins ability to monitor
for added, deleted & modified files
Checks for changes in file attributes, e.g.:
– size,
– access & modification timestamps,
– permissions,
– inode number
– signature (more on signature later)
10/06
Ellen’s Challenge
How does Ellen determine which (if any!)
files have been altered w/o authorization?
Tens of thousands of files in dozens of
gigabytes of disk on dozens of different
architectures
Ellen needs to examine every file as well
as check for deleted or added files
10/06
Checking Techniques
Established techniques: maintaining
checklists, comparison copies, checksum
records or backup tapes
These methods are costly, prone to error
and susceptible to easy spoofing
Intruders w/ root privileges can alter
checklists or compromise utilities (eg “ls”
Changes to a file can be made w/out
changing its length or checksum!
10/06
Define Integrity of File Data
Can we define a notion of the integrity of
both data and the file structure (including
directories) in which that data is stored?
Define it as a set of characteristics
Monitor change of those characteristics
Tripwire system is said to “enforce the
integrity of file system” if unauthorized
change to characteristics is detected
10/06
The Ideal Integrity Checker ...
High level of automation
Simple description of attributes of the
file system that are monitored/checked
Easy way to update database used to
control monitoring - small changes
shouldn’t require massive regeneration
Automate regular checks (use UNIX
scheduler, cron); allow manual checks
10/06
Ideal Integrity Checker cont.
10/06
Tripwire Program Inputs
Configuration file (tw.config)
– list of files & directories to be monitored
– their associated selection mask (list
attributes that can safely be ignored)
Database file --describes each “file” –
automatically generated
– set of file names, inode attribute values,
signature info., associated tw.config entry
10/06
Selection Mask
Example: +pinugsm12-a
permission and modes inode number
10/06
Tripwire Component Overview
newly
generate
generated
database
apply Tripwire
compare
ignore-masks report
old
tw.config
database
file
10/06
Database Initialization Mode
Tripwire generates baseline database file
based on tw.config
tw.config indicates
– files to monitor
– files to ignore (e.g. no recursion below
directory with name “DDD”)
– whether to ignore file size change (e.g.
ignore increase in log files, but report
decrease!!!)
10/06
Integrity Checking Mode
10/06
Signature Support
For each file – up to 10 signatures
What’s a signature?
Any pattern that “represents” the file
– By default, MD5 and Snefru signatures are
recorded and checked for each file
10/06
Supported Platforms
Windows NT, version 4.0
Solaris (SPARC), versions 2.6, 7.0
Solaris (Intel), version 2.6, 7.0
HP-UX, versions 10.20, 11.00
IBM AIX, versions 4.2, 4.3
SGI Irix, version 6.5
Compaq TRU64 UNIX, version 4.0
Linux
10/06
Sample Ouput
: ### Phase 1: Reading configuration file
: ### Phase 2: Generating file list
: ### Phase 3: Creating file information database
: ### Phase 4: Searching for inconsistencies
: ###
: ### Total files scanned: 5143
: ### Files added: 0
: ### Files deleted: 0
: ### Files changed: 5
: ###
: ### Total file violations: 5
10/06
Sample Output Cont.
changed: -rw-r--r-- root 3384 Jan 12 14:39:27 2000
/etc/dfs/dfstab
Phase 5: Generating observed/expected pairs for changed files
Attr Observed (what it is) Expected (what it should be)
/etc/dfs/dfstab
st_size: 3384 3623
st_mtime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003
st_ctime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003
md5 (sig1): 3TZThlJJb5piwca4EHUnRy
2nGPSAY1loE5vlS.D1qhHL
snefru (sig2): 1uKAb7andEuQOzAyXnFcfR
0hl1UxAEzEILB8jXtDsx4G
10/06
Conclusion
Portable
Self-contained
Adaptable to large and small sites
Very restricted in what it sees -- only OS
attribute changes of files
It has no clue as to what users are
actually doing!
10/06
The End
10/06
Templates
– read-only files: Only the access timestamp
is ignored.
– log files: Changes to the file size, access
and modification timestamp, and
signatures are ignored.
– growing log files: Same flags as log files
except increasing files sizes are ignored.
– ignore nothing
– ignore everything
10/06
Example tr.config
# file/dir selection-mask
/etc R # all files under /etc
@@ifhost solaria.cs.purdue.edu
!/etc/lp # except for SVR4 printer logs
@@endif
/etc/passwd R+12 # you can’t be too careful
/etc/mtab L #dynamic files
/etc/motd L
/etc/utmp L
=/var/tmp R # only the directory, not its contents
10/06
You use Tripwire for what?
Many system admin. use Tripwire as a
tool to enforce local policy - changes by
one system admin. is noticed quickly by
others
Tripwire helps salvage file systems not
completely repaired by fsck - program
that ensures consistency between file
data and their inodes
– a file can be rebound to its original name by
searching the database for a matching
10/06
signature
Stealth-Tripwire
10/06
Paranoia
10/06
Portability
Tripwire reported to be running on 28
different UNIX platforms
Only 8 example tw.config files
necessary
Authors receive requests to help system
admins. compile Tripwire on machines
they have never heard of - such as one
only sold in Australia that came with
incorrect system libraries
Often, a group of system admins. with
10/06 similarly “orphaned” machines will put
You Added WHAT to Tripwire?
Authors received a report from a user
who is adding support for Intel
machines running UNIX to allow
Tripwire to check mounted MSDOS file
systems
10/06
Mega & Micro - Tripwire
10/06
Database Update Mode
10/06
Configurability Aids
Preprocessor support allows system
admin. to write configuration files that
support numerous configurations of
machines
– Note: Machines that share a configuration
file still generate their own database files
Prefixes to the tw.config allow for
pruning - a directory and/or its contents
can be excluded from monitoring
10/06
Configurability Aids (Cont.)
Example selection mask: +pinugsm12-a
– “Report changes in permission and modes,
inode number, number of links, user id,
group id, size of the file, modification
timestamp, and signatures 1 and 2.
Disregard changes to access timestamp.”
Templates allow system admin. to
quickly classify files into categories that
use common sets of flags
10/06
Good News
Seven reported cases of Tripwire
alerting system administrators to
intruders
Dozens of cases of Tripwire being used
as a system admin. enforcement tool
One reported case of Tripwire detecting
a failing disk
10/06
Where are the Bad Guys?
Out of thousands of machines running
Tripwire, why only 7 Tripwire-discovered
breakins in two years?
– Intruders have given up? Don’t you wish!
– Sites running Tripwire aren’t interesting?
Nope
– Site admins aren’t telling? Maybe
– Tripwire sites are more security-conscious?
Maybe
10/06
Bad Guys (Cont.)
Sites have already been attacked
– maybe baseline databases are being
generated on machines that have already
been compromised
Intruders have completely subverted
integrity checking schemes
– it would be very hard for an intruder to
alter a file in a way that it preserves its
original signature
10/06