1 / 37

Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford

Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford. Presentation Outline. Motivation for Tripwire Tripwire design Experiences Conclusion. Motivation - A Scary Story. Ellen is system admin for large network

Download Presentation

Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Experience with Tripwire:Using Integrity Checkers for Intrusion Detectionby Gene H. Kim and Eugene H. Spafford

  2. Presentation Outline • Motivation for Tripwire • Tripwire design • Experiences • Conclusion

  3. Motivation - A Scary Story • Ellen is system admin for large network • Ellen realizes someone has logged on as root on several machines • Sneaky intruder deleted all accounting & auditing files before logging out • Ellen’s concern: • Did intruder leave a backdoor (for re-entry)? • Was sensitive information compromised?

  4. Security Policy - Integrity of Data • Assure that file data (in permanent storage) are not altered except by those authorized to do so • More precisely, assure that if a file is altered improperly, that the alteration can be detected

  5. Tripwire • Gives system admins ability to monitor for added, deleted & modified files • Checks for changes in file attributes, e.g.: • size, • access & modification timestamps, • permissions, • inode number • signature (more on signature later)

  6. Ellen’s Challenge • How does Ellen determine which (if any!) files have been altered w/o authorization? • Tens of thousands of files in dozens of gigabytes of disk on dozens of different architectures • Ellen needs to examine every file as well as check for deleted or added files

  7. Checking Techniques • Established techniques: maintaining checklists, comparison copies, checksum records or backup tapes • These methods are costly, prone to error and susceptible to easy spoofing • Intruders w/ root privileges can alter checklists or compromise utilities (eg “ls” • Changes to a file can be made w/out changing its length or checksum!

  8. Define Integrity of File Data • Can we define a notion of the integrity of both data and the file structure (including directories) in which that data is stored? • Define it as a set of characteristics • Monitor change of those characteristics • Tripwire system is said to “enforce the integrity of file system” if unauthorized change to characteristics is detected

  9. The Ideal Integrity Checker ... • High level of automation • Simple description of attributes of the file system that are monitored/checked • Easy way to update database used to control monitoring - small changes shouldn’t require massive regeneration • Automate regular checks (use UNIX scheduler, cron); allow manual checks

  10. Ideal Integrity Checker cont. • Generate output that’s easy to scan • Allow specification of file system “exceptions” that are NOT reported • Allow reuse and sharing of configuration files (for networks of lots of machines that differ only slightly)

  11. Tripwire Program Inputs • Configuration file (tw.config) • list of files & directories to be monitored • their associated selection mask (list attributes that can safely be ignored) • Database file --describes each “file” – automatically generated • set of file names, inode attribute values, signature info., associated tw.config entry

  12. Selection Mask Example: +pinugsm12-a • permission and modes inode number • number of links user id group id • size of the file modification timestamp • signature 1 signature 2 access timestamp • Flag for each distinct field in an inode • +  report change -  ignore the field

  13. Tripwire Component Overview newly generated database generate apply ignore-masks Tripwire report compare old database tw.config file Files residing on system

  14. Database Initialization Mode • Tripwire generates baseline database file based on tw.config • tw.config indicates • files to monitor • files to ignore (e.g. no recursion below directory with name “DDD”) • whether to ignore file size change (e.g. ignore increase in log files, but report decrease!!!)

  15. Integrity Checking Mode • Generate new database • Compare new database with baseline db • Produce report of added & deleted files • Apply selection mask to modified files

  16. Signature Support • For each file – up to 10 signatures • What’s a signature? • Any pattern that “represents” the file • By default, MD5 and Snefru signatures are recorded and checked for each file

  17. Supported Platforms • Windows NT, version 4.0 • Solaris (SPARC), versions 2.6, 7.0 • Solaris (Intel), version 2.6, 7.0 • HP-UX, versions 10.20, 11.00 • IBM AIX, versions 4.2, 4.3 • SGI Irix, version 6.5 • Compaq TRU64 UNIX, version 4.0 • Linux

  18. Sample Ouput : ### Phase 1: Reading configuration file : ### Phase 2: Generating file list : ### Phase 3: Creating file information database : ### Phase 4: Searching for inconsistencies : ### : ### Total files scanned: 5143 : ### Files added: 0 : ### Files deleted: 0 : ### Files changed: 5 : ### : ### Total file violations: 5

  19. Sample Output Cont. changed: -rw-r--r-- root 3384 Jan 12 14:39:27 2000 /etc/dfs/dfstab Phase 5: Generating observed/expected pairs for changed files Attr Observed (what it is) Expected (what it should be) /etc/dfs/dfstab st_size: 3384 3623 st_mtime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003 st_ctime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003 md5 (sig1): 3TZThlJJb5piwca4EHUnRy 2nGPSAY1loE5vlS.D1qhHL snefru (sig2): 1uKAb7andEuQOzAyXnFcfR 0hl1UxAEzEILB8jXtDsx4G

  20. Conclusion • Portable • Self-contained • Adaptable to large and small sites • Very restricted in what it sees -- only OS attribute changes of files • It has no clue as to what users are actually doing!

  21. The End

  22. Templates • read-only files: Only the access timestamp is ignored. • log files: Changes to the file size, access and modification timestamp, and signatures are ignored. • growing log files: Same flags as log files except increasing files sizes are ignored. • ignore nothing • ignore everything

  23. Example tr.config # file/dir selection-mask /etc R # all files under /etc @@ifhost solaria.cs.purdue.edu !/etc/lp # except for SVR4 printer logs @@endif /etc/passwd R+12 # you can’t be too careful /etc/mtab L #dynamic files /etc/motd L /etc/utmp L =/var/tmp R # only the directory, not its contents

  24. You use Tripwire for what? • Many system admin. use Tripwire as a tool to enforce local policy - changes by one system admin. is noticed quickly by others • Tripwire helps salvage file systems not completely repaired by fsck - program that ensures consistency between file data and their inodes • a file can be rebound to its original name by searching the database for a matching signature

  25. Stealth-Tripwire • Several system admins. have tried very hard to conceal their use of Tripwire and don’t run it through programs like cron • Authors disagree - advertising the use of Tripwire (even if not true) could help avert attacks

  26. Paranoia • Tripwire is designed to run on a regular basis, such as daily • Two reported cases of Tripwire being run hourly - not a good idea • Good paranoia - “plant” files on the system, such as master-passwords - prime targets for intruders

  27. Portability • Tripwire reported to be running on 28 different UNIX platforms • Only 8 example tw.config files necessary • Authors receive requests to help system admins. compile Tripwire on machines they have never heard of - such as one only sold in Australia that came with incorrect system libraries • Often, a group of system admins. with similarly “orphaned” machines will put together a patch

  28. You Added WHAT to Tripwire? • Authors received a report from a user who is adding support for Intel machines running UNIX to allow Tripwire to check mounted MSDOS file systems

  29. Mega & Micro - Tripwire • Many system administrators of large sites create one configuration file to be shared by all machines, using the @@ifhost directive to segregate non-common file groups • A configuration file consisting solely of “/” has proved adequate for some system administrators of smaller sites

  30. CS Dept. & Tripwire • Tripwire runs on all essential servers every night • Scripts were written to run Tripwire on all the various servers, gather the results, and send them by email to the system admins. • Very usable out-of-the-box, took a staff member only 10 hours to set up • Installed for 9 months - haven’t seen anything suspicious, Paco occasionally checks to make sure it still runs at night

  31. Interactive Database Update • Tripwire generates list of all changes (ala integrity checking mode) • Tripwire asks system admin. to specify which entries to update in the database file

  32. Database Update Mode • Tripwire regenerates database entries for a list of files or configuration entries given on the command line • Tripwire instructs system admin to move new database to secure media

  33. Configurability Aids • Preprocessor support allows system admin. to write configuration files that support numerous configurations of machines • Note: Machines that share a configuration file still generate their own database files • Prefixes to the tw.config allow for pruning - a directory and/or its contents can be excluded from monitoring

  34. Configurability Aids (Cont.) • Example selection mask: +pinugsm12-a • “Report changes in permission and modes, inode number, number of links, user id, group id, size of the file, modification timestamp, and signatures 1 and 2. Disregard changes to access timestamp.” • Templates allow system admin. to quickly classify files into categories that use common sets of flags

  35. Good News • Seven reported cases of Tripwire alerting system administrators to intruders • Dozens of cases of Tripwire being used as a system admin. enforcement tool • One reported case of Tripwire detecting a failing disk

  36. Where are the Bad Guys? • Out of thousands of machines running Tripwire, why only 7 Tripwire-discovered breakins in two years? • Intruders have given up? Don’t you wish! • Sites running Tripwire aren’t interesting? Nope • Site admins aren’t telling? Maybe • Tripwire sites are more security-conscious? Maybe

  37. Bad Guys (Cont.) • Sites have already been attacked • maybe baseline databases are being generated on machines that have already been compromised • Intruders have completely subverted integrity checking schemes • it would be very hard for an intruder to alter a file in a way that it preserves its original signature

More Related