Unlocking the Potential of the Cloud for IBM Power Systems
How Tripwire Automates File System Integrity Checks
1. 1
TRIPWIRE
How Tripwire software is effective to automate the process of
verifying file system integrity on a machine.
FITSUM R. LAKEW
INFA – 630
Prof. Jeff Clark
November 21, 2010
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
3. 3
TRIPWIRE
How Tripwire software is effective to automate the process of verifying file
system integrity on a machine.
Abstract
Security in computer systems is vital in protecting the integrity of stored
information. The file system provides a mechanism that can be used for storage
purposes. This mechanism can also be used to access data and programs in a
computer system. Information residing on a file system is valuable and should be
monitored for unauthorized and unexpected changes to protect the system
against intrusion. In a network platform, monitoring these changes becomes quite
a daunting task. Tripwire is a tool that aids UNIX system administrators to check
for any changes that are made on a selective set of files, directories, and
databases (Northcutt & Novack, 2002). It notifies the system administrator
whenever files have been altered or corrupted. This enables the system
administrator can take action in a timely manner. This paper will describe the
intrusion detection mechanism provided by Tripwire. It will also outline the design
and implementation of Tripwire. It will explore the advantages of using Tripwire to
automate the process of verifying file system integrity on a machine. It will also
explore the software’s limitations. This paper will prove Tripwire’s effectiveness in
detecting altered or corrupted files.
4. 4
TRIPWIRE
Introduction
Tripwire refers to software that confirms the integrity of a system. It is a
utility that compares the properties of specific files and directories against data
that has been stored in an archive. Tripwire creates software that allows users to
edit and configure a system’s overall security. Bejtlich (2005) argues that Tripwire
is a toll that can be used to detect corrupted files. Tripwire can also serve as an
archive for files and folders that have been disorganized. Tripwire is a tool that
informs the user about changes in the system (Northcutt & Novack, 2002).
Reports from the software are usually sent in an XML or HTML format
(Northcutt & Novack, 2002). This enables a user to access the data from a web
browser.
Tripwire took 12 months to develop. Open Source Tripwire was an original
version of the software. It was created using a code that was designed by
Tripwire Incorporated (Bejtlich, 2005). It was initially free. Police officers and
private security firms use it. It is still used to alert people about file changes that
occur in a wide variety of systems. Private organizations can also use tripwire. It
can be used to keep track of privately owned servers. It can update the user
through daily e-mail.
5. 5
TRIPWIRE
Functional Applicability
Tripwire can be used as an intrusion detection system that is governed by
a host. Network bases do not restrict it. It notifies the user concerning the
changes that may occur in file system objects (Bejtlich, 2005).
Tripwire lets the user know whether the server has been compromised. It
employs the use of an e-mail alert system this system is activated once the
software detects a problem. Tripwire detects specific anomalies in the system. It
allows the user to determine the specific files that may have been compromised
(Northcutt & Novack, 2002). Administrators will know which actions to take once
Tripwire alerts them about changes in the system. Servers that have been
corrupted can therefore be removed from the network.
“The single most important time efficiency issue with Tripwire is the lack of a
report history mechanism, which would drastically reduce the number of reports.
For instance, a dozen systems being checked three times per day can result in
over 1000 reports per month, any one of which could contain the critical
information the tool is supposed to detect. Even the most careful tuning cannot
prevent this; for instance, the installation or modification of a large software
package may suddenly result in a large report that will continue until the
administrator has time to do a database update.” (Arnold, 2001)
Tripwire allows users to monitor the progress of their servers. It can be
used to detect the installation of unauthorized software (Bejtlich, 2005). Trost
6. 6
TRIPWIRE
(2009) asserts that Tripwire can also verify a system’s compliance with regard to
the user’s security policy. The software can operate as an archive. Tripwire’s
archive can be compared with other systems for the sake of compatibility.
Northcutt & Novack (2002) state that tripwire can be used to recover lost files
and folders. It can also be used to assess the damage that may have been
caused within a given server. Tripwire provides the user with options that are
based on the changes that have been detected within a given system. The
information retrieved from Tripwire’s damage report can be used to prepare the
user for similar problems in the future.
Once Tripwire has been activated, it scans all the files within a given
database. Tripwire employs cryptographic hashes in order to detect anomalies in
a file. These hashes are used to filter components of the file that may not be
needed.
A user can access particular files and folders by adjusting the tripwire
configuration. Tripwire can be tweaked to target particular files in the system’s
database. This process operates like a filter. A user can customize the scanning
process in order to save time and resources.
Tripwire can be used on specific servers. It can be applied to an entire
network. It can also run as a centralized system (Trost, 2009). It can also be
used to test the integrity of Windows VFAT file systems like FAT 32 AND FAT 16
(Bejtlich, 2005).
7. 7
TRIPWIRE
Tripwire is not restricted to a particular format. It is portable and dynamic. It
runs on several UNIX variations. Its programs can therefore be shared among
different systems. Tripwire’s database files are easy to read. This is because
they are encoded using a standard ASCII format (Trost, 2009). The ASCII format
enables files to be read on different platforms.
Tripwire is a form of self-sufficient software. A user can run Tripwire
program without the use of outside programs (Bejtlich, 2005). This enables
administrators to secure the privacy of their customers.
Host-based intrusions can be detected by monitoring changes within the
file system (Trost, 2009). Tripwire is therefore the best software a user can
employ to detect anomalies within a given system. Administrators can also use
the software to take note of unauthorized modifications within a given network
(Bejtlich, 2005).
Hackers are hardly ever detected. Tripwire can be used to alert
administrators whenever the system’s security is compromised. Myers (2000)
states the following:
Intrusion Detection involves detecting unauthorized access and
destructive activity on your computer system. Intrusion Detection is a clear
requirement for all e-commerce merchants. According to the annual study
released March 22, 2000 by the Computer Security Institute and the FBI,
90% of the survey respondents detected a computer security breach
8. 8
TRIPWIRE
within the last twelve months. The study showed that the most serious
financial losses were caused by activities that concern e-commerce
merchants directly: theft of proprietary information (e.g., stealing customer
credit card numbers), and financial fraud (e.g., setting up a bogus
storefront).
For e-commerce merchants, the focus of Intrusion Detection is on the
web servers, and their associated database management systems. E-
commerce requires that the web servers communicate quickly and
accurately with large databases of product and customer information. To
optimize performance, these critical databases are, in most cases, placed
on the same network segment as the web server, or even on the web
server machine itself. For malicious hackers, this is a tempting prize. For
hard-core cyber criminals, these databases are pay dirt. They will break in
to the web server, gain administrator-level access, locate the database,
and then go to work on breaking into the database and downloading
customer information.
This does happen. As a matter of fact, it happens more often than most of
us will ever know, because the merchants who suffer break-ins often do
not report them, or they report them to law enforcement agencies who do
not publicize information while cases are under investigation. According to
an Associated Press report released March 24, 2000, "Two 18-year-old
boys were arrested in Wales, United Kingdom, on charges of breaking into
9. 9
TRIPWIRE
electronic commerce Internet sites in five countries and stealing
information on 26,000 credit card accounts, the FBI said today." Such
reports cause me to wonder how many such exploits are not being caught.
And one can only marvel at the use of the term "boys". Why is an 18
year-old who commits armed robbery a "man", and one who violates the
financial integrity of 26,000 innocents a "boy". The young men who
probably spent many months planning and executing this crime are not
seen as real criminals, just misguided youth. This seems to be a naive
assumption.
Setting up the most secure website possible is the social, and potentially
legal responsibility of every e-commerce merchant who either solicits,
processes, or stores confidential customer information. Further, and
perhaps more convincing, a secure website is also a business
imperative. There is no quicker way to lose customer confidence than to
lose their credit card information (Myers, 2000).
Limitations
Tripwire reports are long. They are therefore tedious to analyze. Reading
reports from Tripwire can be a cumbersome process. It is a time-consuming
endeavor. Trost (2009) argues that Tripwire is outdated software. Its coding
system is archaic. A server can function effectively without Tripwire. An antivirus
10. 10
TRIPWIRE
is generally more effective. The user has the option to restore or delete corrupted
files using an antivirus.
Tripwire forces the user to deal with changes that may occur on a frequent
basis. For example, if a file is altered after an auditing session, the Tripwire
software will alert the user. This forced the administrator to deal with trivial
changes to the system. Minor changes can therefore go unnoticed. Arnold (2001)
states the following:
Tripwire is much like the fabled elephant and the blind men: how you feel
about it depends on the perspective from which you approach it. A person
who has successfully used Tripwire to detect cracked binaries and/or
system miss configurations will have nothing but praise for it. On the other
hand, someone who has been "stuck in the trenches" reading through
endless reports in an attempt to find problems, will think that it's a labor-
intensive waste of time. Minimizing the labor required dictates that reports
be as brief, and as infrequent, as they possibly can be made. Using
Tripwire on a day-to-day basis can be an uncreative and essentially boring
activity. On the other hand, if one can reduce the torrent of data that
Tripwire provides, and makes it simpler to use than it is "out of the box",
then using it can become bearable (if not necessarily palatable.)
Fortunately, it is possible to reduce the time and effort required to
administer Tripwire, as the next section of this discussion will illustrate
(Arnold, 2001).
11. 11
TRIPWIRE
The tripwire database has to be updated on a regular basis (Trost, 2009).
Changes made to a system’s files prompt the user to update the software.
Tripwire restricts users to a strict policy. There are terms and conditions that
must be followed in order to use Tripwire effectively.
The user is forced to resolve the system’s problems without the use of
Tripwire. Tripwire does not remove malicious files. It does not get rid of viruses.
The user is forced to do this without the use of Tripwire.
According to Bejtlich (2005), Tripwire is fallible. Computer hackers can still
access private files under the right circumstances. Tripwire does not serve the
user as an antivirus. Trost (2009) argues that tripwire is not a firewall. It only
compliments other security solutions. It cannot be used to restore a computer’s
operating system (Bejtlich, 2005).
Tripwire auditing must be done on a regular basis. It is a time-consuming
process. The user is forced to do the work manually. File system auditing
requires the use of unauthorized system resources. Tripwire does not allow the
user to access these resources. The system therefore functions at a slower pace.
Tripwire installation is restricted to ‘fresh’ systems. Installing Tripwire on a
network is a long and cumbersome process.
Only one user can install tripwire. This makes the installation process
difficult. Tripwire also forces the administrator to format the system before
12. 12
TRIPWIRE
installation. Corrupted files can be ignored after Tripwire is installed.
Administrators are therefore forced to install the software twice.
Installing Tripwire
Installing Tripwire is a simple process. There are many ways to install
Tripwire. An administrator can use his distribution’s package manager to
download and install the software (Bejtlich, 2005). An administrator can also
access the software through the Open Source Tripwire Project online.
The installation process is mainly automatic. The user affirmatively clicks
on taskbars in order to authorize the procedure. Linux distributors sometimes
provide a utility that can be used to configure a given system (Bejtlich, 2005).
They provide the user with setup scripts that can be used to install the software.
Activating Tripwire
Tripwire is activated using a ‘check’ key. The process can be automated
by employing an integrity check. The user can then create a chronological job
entry. This ensures that the system is checked regularly. This process requires
the user to edit the system’s directory. Alternatively, the user can add an
appropriate script to the directory (Bejtlich, 2005). The file should then be edited
by adding a line for the execution of a tripwire check.
13. 13
TRIPWIRE
Tripwire can also be activated if the software is run from another machine
on the same network. This keeps hackers at bay. (Trost, 2009) suggests that the
crontab line should have the following line where the host name is located:
0 2 * * * ssh-n-1 root target-host /usr/sbin/tripwire â€"check
Most scholars advice users to make soft copies of their tripwire binary
(Kohlenberg, Beale & Baker, 2007). The program can be run from the soft
copy. For this procedure, the twcfg.txt file should be edited before the user
signs in. Kohlenberg, Beale & Baker (2007) advise users to make the
following changes to their /etc/twcfg.txt file:
ROOT=/mnt/cdrom
SITEKEYFILE=/mnt/cdrom/site.key
LOCALKEYFILE=/mnt/cdrom/host-local.key
Bejtlich (2005) suggests that this process is only applicable to CDROMs
that mount at mnt/cdrom.
Users should then sign the modified file and generate the Tripwire file. The
CD-R can be removed when the process is complete. Tripwire checks can then
be done by mounting the CD-R that contains the Tripwire binary (Northcutt &
Novack, 2002).
14. 14
TRIPWIRE
The executable binary should be stored in a non-writable storage device. This
is done to protect the codes. The tripwire database can be updated by issuing
the following commands:
# LASTREPORT=`ls -1t /var/lib/tripwire/report/host-*.twr |head -1`
# tripwire --update --twrfile "LASTREPORT"
Tripwire creates an archive of the most commonly accessed files and
folders in a server (Northcutt & Novack, 2002). The user is therefore able to
compare these files to the ones on his or her hard drive. This process can be
used to identify files that may have been stolen or corrupted.
Tripwire is composed of an Open Source and a commercial version of the
software. It is made up of four major components (Trost, 2009). These include
the policy files, the database, the configuration files and the report files.
The configuration file houses regulations that govern the e-mail notification
system. It also houses the Tripwire files as well as the server’s miscellaneous
data. Tripwire allows the user to customize the software settings. The Tripwire
software can also be used to make notifications based on the user’s settings.
Scanning the system creates report files (Kohlenberg, Beale & Baker, 2007).
These reports inform the user about specific changes to the system.
15. 15
TRIPWIRE
Conclusion
Trost (2009) argues that despite its limitations, Tripwire is still an effective
tool that that can be used to increase a system’s security. Tripwire is relatively
effective. Administrators should therefore employ the use of an antivirus. Tripwire
cannot get rid of corrupted files without the user’s consent. Kohlenberg, Beale &
Baker (2007) advise administrators to invest in several integrity-auditing tools for
their system. This will ensure that the system runs at optimum efficiency.
16. 16
TRIPWIRE
References
Arnold, E. R. (2001). The Trouble with Tripwire. Retrieved from:
http://www.symantec.com/connect/articles/trouble-tripwire
Bejtlich, R. (2005). Extrusion Detection. Security Monitoring for Internal
Intrusions, 47(1), 37-107.
Kohlenberg, T., Beale, J., Baker, A. R. (2007). Snort IDS and IPS Toolkit with
CDROM. Intrusion Detection, 10(1), 234-309.
Myers, M. (2000). Intrusion Detection Preliminaries. Sanitizing Your E-
Commerce Web Servers. Retrieved from:
http://www.symantec.com/connect/articles/intrusion-detection-
preliminaries-sanitizing-your-e-commerce-web-servers
Northcutt, S. & Novack, J. (2002). Network Intrusion Detection. Protecting Your
System, 27(3), 442-512.
Trost, R. (2009). Practical Intrusion. Analysis Prevention for the Twenty-First
Century, 21(1), 230-457.