slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford PowerPoint Presentation
Download Presentation
Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford

Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford

149 Views Download Presentation
Download Presentation

Experience with Tripwire: Using Integrity Checkers for Intrusion Detection by Gene H. Kim and Eugene H. Spafford

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Experience with Tripwire:Using Integrity Checkers for Intrusion Detectionby Gene H. Kim and Eugene H. Spafford

  2. Presentation Outline • Motivation for Tripwire • Tripwire design • Experiences • Conclusion

  3. Motivation - A Scary Story • Ellen is system admin for large network • Ellen realizes someone has logged on as root on several machines • Sneaky intruder deleted all accounting & auditing files before logging out • Ellen’s concern: • Did intruder leave a backdoor (for re-entry)? • Was sensitive information compromised?

  4. Security Policy - Integrity of Data • Assure that file data (in permanent storage) are not altered except by those authorized to do so • More precisely, assure that if a file is altered improperly, that the alteration can be detected

  5. Tripwire • Gives system admins ability to monitor for added, deleted & modified files • Checks for changes in file attributes, e.g.: • size, • access & modification timestamps, • permissions, • inode number • signature (more on signature later)

  6. Ellen’s Challenge • How does Ellen determine which (if any!) files have been altered w/o authorization? • Tens of thousands of files in dozens of gigabytes of disk on dozens of different architectures • Ellen needs to examine every file as well as check for deleted or added files

  7. Checking Techniques • Established techniques: maintaining checklists, comparison copies, checksum records or backup tapes • These methods are costly, prone to error and susceptible to easy spoofing • Intruders w/ root privileges can alter checklists or compromise utilities (eg “ls” • Changes to a file can be made w/out changing its length or checksum!

  8. Define Integrity of File Data • Can we define a notion of the integrity of both data and the file structure (including directories) in which that data is stored? • Define it as a set of characteristics • Monitor change of those characteristics • Tripwire system is said to “enforce the integrity of file system” if unauthorized change to characteristics is detected

  9. The Ideal Integrity Checker ... • High level of automation • Simple description of attributes of the file system that are monitored/checked • Easy way to update database used to control monitoring - small changes shouldn’t require massive regeneration • Automate regular checks (use UNIX scheduler, cron); allow manual checks

  10. Ideal Integrity Checker cont. • Generate output that’s easy to scan • Allow specification of file system “exceptions” that are NOT reported • Allow reuse and sharing of configuration files (for networks of lots of machines that differ only slightly)

  11. Tripwire Program Inputs • Configuration file (tw.config) • list of files & directories to be monitored • their associated selection mask (list attributes that can safely be ignored) • Database file --describes each “file” – automatically generated • set of file names, inode attribute values, signature info., associated tw.config entry

  12. Selection Mask Example: +pinugsm12-a • permission and modes inode number • number of links user id group id • size of the file modification timestamp • signature 1 signature 2 access timestamp • Flag for each distinct field in an inode • +  report change -  ignore the field

  13. Tripwire Component Overview newly generated database generate apply ignore-masks Tripwire report compare old database tw.config file Files residing on system

  14. Database Initialization Mode • Tripwire generates baseline database file based on tw.config • tw.config indicates • files to monitor • files to ignore (e.g. no recursion below directory with name “DDD”) • whether to ignore file size change (e.g. ignore increase in log files, but report decrease!!!)

  15. Integrity Checking Mode • Generate new database • Compare new database with baseline db • Produce report of added & deleted files • Apply selection mask to modified files

  16. Signature Support • For each file – up to 10 signatures • What’s a signature? • Any pattern that “represents” the file • By default, MD5 and Snefru signatures are recorded and checked for each file

  17. Supported Platforms • Windows NT, version 4.0 • Solaris (SPARC), versions 2.6, 7.0 • Solaris (Intel), version 2.6, 7.0 • HP-UX, versions 10.20, 11.00 • IBM AIX, versions 4.2, 4.3 • SGI Irix, version 6.5 • Compaq TRU64 UNIX, version 4.0 • Linux

  18. Sample Ouput : ### Phase 1: Reading configuration file : ### Phase 2: Generating file list : ### Phase 3: Creating file information database : ### Phase 4: Searching for inconsistencies : ### : ### Total files scanned: 5143 : ### Files added: 0 : ### Files deleted: 0 : ### Files changed: 5 : ### : ### Total file violations: 5

  19. Sample Output Cont. changed: -rw-r--r-- root 3384 Jan 12 14:39:27 2000 /etc/dfs/dfstab Phase 5: Generating observed/expected pairs for changed files Attr Observed (what it is) Expected (what it should be) /etc/dfs/dfstab st_size: 3384 3623 st_mtime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003 st_ctime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003 md5 (sig1): 3TZThlJJb5piwca4EHUnRy 2nGPSAY1loE5vlS.D1qhHL snefru (sig2): 1uKAb7andEuQOzAyXnFcfR 0hl1UxAEzEILB8jXtDsx4G

  20. Conclusion • Portable • Self-contained • Adaptable to large and small sites • Very restricted in what it sees -- only OS attribute changes of files • It has no clue as to what users are actually doing!

  21. The End

  22. Templates • read-only files: Only the access timestamp is ignored. • log files: Changes to the file size, access and modification timestamp, and signatures are ignored. • growing log files: Same flags as log files except increasing files sizes are ignored. • ignore nothing • ignore everything

  23. Example tr.config # file/dir selection-mask /etc R # all files under /etc @@ifhost !/etc/lp # except for SVR4 printer logs @@endif /etc/passwd R+12 # you can’t be too careful /etc/mtab L #dynamic files /etc/motd L /etc/utmp L =/var/tmp R # only the directory, not its contents

  24. You use Tripwire for what? • Many system admin. use Tripwire as a tool to enforce local policy - changes by one system admin. is noticed quickly by others • Tripwire helps salvage file systems not completely repaired by fsck - program that ensures consistency between file data and their inodes • a file can be rebound to its original name by searching the database for a matching signature

  25. Stealth-Tripwire • Several system admins. have tried very hard to conceal their use of Tripwire and don’t run it through programs like cron • Authors disagree - advertising the use of Tripwire (even if not true) could help avert attacks

  26. Paranoia • Tripwire is designed to run on a regular basis, such as daily • Two reported cases of Tripwire being run hourly - not a good idea • Good paranoia - “plant” files on the system, such as master-passwords - prime targets for intruders

  27. Portability • Tripwire reported to be running on 28 different UNIX platforms • Only 8 example tw.config files necessary • Authors receive requests to help system admins. compile Tripwire on machines they have never heard of - such as one only sold in Australia that came with incorrect system libraries • Often, a group of system admins. with similarly “orphaned” machines will put together a patch

  28. You Added WHAT to Tripwire? • Authors received a report from a user who is adding support for Intel machines running UNIX to allow Tripwire to check mounted MSDOS file systems

  29. Mega & Micro - Tripwire • Many system administrators of large sites create one configuration file to be shared by all machines, using the @@ifhost directive to segregate non-common file groups • A configuration file consisting solely of “/” has proved adequate for some system administrators of smaller sites

  30. CS Dept. & Tripwire • Tripwire runs on all essential servers every night • Scripts were written to run Tripwire on all the various servers, gather the results, and send them by email to the system admins. • Very usable out-of-the-box, took a staff member only 10 hours to set up • Installed for 9 months - haven’t seen anything suspicious, Paco occasionally checks to make sure it still runs at night

  31. Interactive Database Update • Tripwire generates list of all changes (ala integrity checking mode) • Tripwire asks system admin. to specify which entries to update in the database file

  32. Database Update Mode • Tripwire regenerates database entries for a list of files or configuration entries given on the command line • Tripwire instructs system admin to move new database to secure media

  33. Configurability Aids • Preprocessor support allows system admin. to write configuration files that support numerous configurations of machines • Note: Machines that share a configuration file still generate their own database files • Prefixes to the tw.config allow for pruning - a directory and/or its contents can be excluded from monitoring

  34. Configurability Aids (Cont.) • Example selection mask: +pinugsm12-a • “Report changes in permission and modes, inode number, number of links, user id, group id, size of the file, modification timestamp, and signatures 1 and 2. Disregard changes to access timestamp.” • Templates allow system admin. to quickly classify files into categories that use common sets of flags

  35. Good News • Seven reported cases of Tripwire alerting system administrators to intruders • Dozens of cases of Tripwire being used as a system admin. enforcement tool • One reported case of Tripwire detecting a failing disk

  36. Where are the Bad Guys? • Out of thousands of machines running Tripwire, why only 7 Tripwire-discovered breakins in two years? • Intruders have given up? Don’t you wish! • Sites running Tripwire aren’t interesting? Nope • Site admins aren’t telling? Maybe • Tripwire sites are more security-conscious? Maybe

  37. Bad Guys (Cont.) • Sites have already been attacked • maybe baseline databases are being generated on machines that have already been compromised • Intruders have completely subverted integrity checking schemes • it would be very hard for an intruder to alter a file in a way that it preserves its original signature