Tripwire: A File System Integrity Checker For Intrusion DetectionMeera BelurABSTRACTINTRODUCTIONFiles stored in the file system include user data, applications data, and system executables and databases. As such, it becomes a natural target of an attack for an intruder. An intruder could change one or more system files enabling future unauthorized access.The responsibility of the system administrators is to closely monitor which files have been altered or tampered with and take necessary actions. As such, UNIX System administrators are faced with difficulty to detect damages to these files and monitor the integrity of the file system contents. The standard check listing schemes like maintaining checklists, checksum records that are available in UNIX systems are not trustworthy and useful.Some of the shortcomings of the standard check listing schemes are list of files and associated checksums may be very hard to maintain. An intruder can make changes to the file contents without even changing the checksum generated for that file so that the changes made to the file gets unnoticed.In order to aid System Administrators in Intrusion detection, Tripwire is an Intrusion detection tool, which provides an efficient way of detecting anomalies in the file system. It looks for behavior that deviates from normal system use.In a system, files are constantly updated and if an intrusion detection tool reports every changed file then amount of data that has to be interpreted by the system administrators becomes huge. Consider a scheme where there are reports for ownership file changes and for changes in access timestamps for thousands of files. In that case, it is possible that changes in timestamp reports may obscure any potential dangerous ownership file changes and may go unnoticed by the system administrator. However, in some cases, changes to a file’s access stamp may be of interest. In such cases, “trap files” could be placed as tripwires against intruders. Tripwire generates output that is easy to scan by allowing selective files to be monitored. Usually the files that are selected for monitoring are the files that are not subjected to change a lot and any change to those files are of concern. For example, changes in system log files are expected, but a change in inode number, file modes or ownership is a cause of concern. In simplest terms, Tripwire creates a secure database of file and directory attributes including their signatures, which then can be used to compare against to see if a file or directory has changed somehow. Any differences are reported. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken immediately. Tripwire uses several checksum/message-digest/secure-hash/signature routines to detect changes to files. The hash function is based on the contents of the file on which the function is applied, which are computationally infeasible to reverse engineer. You can customize Tripwire to use specific signature algorithm out of the many algorithms supported for each object.DESIGN AND IMPLEMENTATIONDatabase Initialization ModeIntegrity Checking ModeDatabase Update ModeInteractive Database Update ModePSEUDOCODEGLOSSARYBIBLIOGRAPHYTripwire: A File System Integrity Checker ForIntrusion DetectionMeera BelurCS265: Computer Cryptography and Security, Fall 2002Email: [email protected] in computer systems is important so as to protect the integrity of stored information. The file system provides mechanism for storage and access to data and programs in a computer system. Information residing on a file system is valuable and should be monitored for unauthorized and unexpected changes to protect the system against intrusion. In a network platform, monitoring these changes becomes quite a daunting task. Tripwire is a tool that aids UNIX system administrators to check for any changes that are made on selective set of files, directories, and databases. It notifies the system administrator of altered or corrupted files so that the system administrator can take actions in a timely manner. This paper describes the intrusion detection mechanism provided by Tripwire and also the design and implementation of Tripwire.INTRODUCTIONFiles stored in the file system include user data, applications data, and system executables and databases. As such, it becomes a natural target of an attack for an intruder. An intruder could change one or more system files enabling future unauthorized access. The responsibility of the system administrators is to closely monitor which files have beenaltered or tampered with and take necessary actions. As such, UNIX System administrators are faced with difficulty to detect damages to these files and monitor the integrity of the file system contents. The standard check listing schemes like maintaining checklists, checksum records that are available in UNIX systems are not trustworthy and useful. Some of the shortcomings of the standard check listing schemes are list of files and associated checksums may be very hard to maintain. An intruder can make changes to the file contents without even changing the checksum generated for that file so that the changes made tothe file gets unnoticed. In order to aid System Administrators in Intrusion detection, Tripwire is an Intrusion detection tool, which provides an efficient way of detecting anomalies in the file system. It looks for behavior that deviates from normal system use. In a system, files are constantly updated and if an intrusion detection tool reports every changed file then amount of data that has to be interpreted by the system administrators becomeshuge. Consider a scheme where there are reports for ownership file changes and for changes in access timestamps for thousands of files. In that case, it is possible that changes in timestamp reports may obscure any potential dangerous ownership file changes and may go unnoticed by the system administrator. However, in some cases, changes to a file’s access stamp may be of interest. In such cases, “trap files” could be placed as tripwires against intruders. Tripwire generates output that is easy to scan by allowing selective files to be monitored. Usually the files that are selected for monitoring are the files that are not subjected to change a lot and any change to those files are of concern. For example, changes in system log files are
View Full Document