Fitsum ristu lakew tripwire for intrusion detection


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fitsum ristu lakew tripwire for intrusion detection

  1. 1. 1 TRIPWIRE How Tripwire software is effective to automate the process of verifying file system integrity on a machine. FITSUM R. LAKEW INFA – 630 Prof. Jeff Clark November 21, 2010 UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
  2. 2. 2 TRIPWIRE Outline: Abstract Introduction Main Body: • Functional Applicability • Limitations • Installing Tripwire • Activating Tripwire Conclusion References
  3. 3. 3 TRIPWIRE How Tripwire software is effective to automate the process of verifying file system integrity on a machine. Abstract Security in computer systems is vital in protecting the integrity of stored information. The file system provides a mechanism that can be used for storage purposes. This mechanism can also be used to access data and programs in a computer system. Information residing on a file system is valuable and should be monitored for unauthorized and unexpected changes to protect the system against intrusion. In a network platform, monitoring these changes becomes quite a daunting task. Tripwire is a tool that aids UNIX system administrators to check for any changes that are made on a selective set of files, directories, and databases (Northcutt & Novack, 2002). It notifies the system administrator whenever files have been altered or corrupted. This enables the system administrator can take action in a timely manner. This paper will describe the intrusion detection mechanism provided by Tripwire. It will also outline the design and implementation of Tripwire. It will explore the advantages of using Tripwire to automate the process of verifying file system integrity on a machine. It will also explore the software’s limitations. This paper will prove Tripwire’s effectiveness in detecting altered or corrupted files.
  4. 4. 4 TRIPWIRE Introduction Tripwire refers to software that confirms the integrity of a system. It is a utility that compares the properties of specific files and directories against data that has been stored in an archive. Tripwire creates software that allows users to edit and configure a system’s overall security. Bejtlich (2005) argues that Tripwire is a toll that can be used to detect corrupted files. Tripwire can also serve as an archive for files and folders that have been disorganized. Tripwire is a tool that informs the user about changes in the system (Northcutt & Novack, 2002). Reports from the software are usually sent in an XML or HTML format (Northcutt & Novack, 2002). This enables a user to access the data from a web browser. Tripwire took 12 months to develop. Open Source Tripwire was an original version of the software. It was created using a code that was designed by Tripwire Incorporated (Bejtlich, 2005). It was initially free. Police officers and private security firms use it. It is still used to alert people about file changes that occur in a wide variety of systems. Private organizations can also use tripwire. It can be used to keep track of privately owned servers. It can update the user through daily e-mail.
  5. 5. 5 TRIPWIRE Functional Applicability Tripwire can be used as an intrusion detection system that is governed by a host. Network bases do not restrict it. It notifies the user concerning the changes that may occur in file system objects (Bejtlich, 2005). Tripwire lets the user know whether the server has been compromised. It employs the use of an e-mail alert system this system is activated once the software detects a problem. Tripwire detects specific anomalies in the system. It allows the user to determine the specific files that may have been compromised (Northcutt & Novack, 2002). Administrators will know which actions to take once Tripwire alerts them about changes in the system. Servers that have been corrupted can therefore be removed from the network. “The single most important time efficiency issue with Tripwire is the lack of a report history mechanism, which would drastically reduce the number of reports. For instance, a dozen systems being checked three times per day can result in over 1000 reports per month, any one of which could contain the critical information the tool is supposed to detect. Even the most careful tuning cannot prevent this; for instance, the installation or modification of a large software package may suddenly result in a large report that will continue until the administrator has time to do a database update.” (Arnold, 2001) Tripwire allows users to monitor the progress of their servers. It can be used to detect the installation of unauthorized software (Bejtlich, 2005). Trost
  6. 6. 6 TRIPWIRE (2009) asserts that Tripwire can also verify a system’s compliance with regard to the user’s security policy. The software can operate as an archive. Tripwire’s archive can be compared with other systems for the sake of compatibility. Northcutt & Novack (2002) state that tripwire can be used to recover lost files and folders. It can also be used to assess the damage that may have been caused within a given server. Tripwire provides the user with options that are based on the changes that have been detected within a given system. The information retrieved from Tripwire’s damage report can be used to prepare the user for similar problems in the future. Once Tripwire has been activated, it scans all the files within a given database. Tripwire employs cryptographic hashes in order to detect anomalies in a file. These hashes are used to filter components of the file that may not be needed. A user can access particular files and folders by adjusting the tripwire configuration. Tripwire can be tweaked to target particular files in the system’s database. This process operates like a filter. A user can customize the scanning process in order to save time and resources. Tripwire can be used on specific servers. It can be applied to an entire network. It can also run as a centralized system (Trost, 2009). It can also be used to test the integrity of Windows VFAT file systems like FAT 32 AND FAT 16 (Bejtlich, 2005).
  7. 7. 7 TRIPWIRE Tripwire is not restricted to a particular format. It is portable and dynamic. It runs on several UNIX variations. Its programs can therefore be shared among different systems. Tripwire’s database files are easy to read. This is because they are encoded using a standard ASCII format (Trost, 2009). The ASCII format enables files to be read on different platforms. Tripwire is a form of self-sufficient software. A user can run Tripwire program without the use of outside programs (Bejtlich, 2005). This enables administrators to secure the privacy of their customers. Host-based intrusions can be detected by monitoring changes within the file system (Trost, 2009). Tripwire is therefore the best software a user can employ to detect anomalies within a given system. Administrators can also use the software to take note of unauthorized modifications within a given network (Bejtlich, 2005). Hackers are hardly ever detected. Tripwire can be used to alert administrators whenever the system’s security is compromised. Myers (2000) states the following: Intrusion Detection involves detecting unauthorized access and destructive activity on your computer system. Intrusion Detection is a clear requirement for all e-commerce merchants. According to the annual study released March 22, 2000 by the Computer Security Institute and the FBI, 90% of the survey respondents detected a computer security breach
  8. 8. 8 TRIPWIRE within the last twelve months. The study showed that the most serious financial losses were caused by activities that concern e-commerce merchants directly: theft of proprietary information (e.g., stealing customer credit card numbers), and financial fraud (e.g., setting up a bogus storefront). For e-commerce merchants, the focus of Intrusion Detection is on the web servers, and their associated database management systems. E- commerce requires that the web servers communicate quickly and accurately with large databases of product and customer information. To optimize performance, these critical databases are, in most cases, placed on the same network segment as the web server, or even on the web server machine itself. For malicious hackers, this is a tempting prize. For hard-core cyber criminals, these databases are pay dirt. They will break in to the web server, gain administrator-level access, locate the database, and then go to work on breaking into the database and downloading customer information. This does happen. As a matter of fact, it happens more often than most of us will ever know, because the merchants who suffer break-ins often do not report them, or they report them to law enforcement agencies who do not publicize information while cases are under investigation. According to an Associated Press report released March 24, 2000, "Two 18-year-old boys were arrested in Wales, United Kingdom, on charges of breaking into
  9. 9. 9 TRIPWIRE electronic commerce Internet sites in five countries and stealing information on 26,000 credit card accounts, the FBI said today." Such reports cause me to wonder how many such exploits are not being caught. And one can only marvel at the use of the term "boys". Why is an 18 year-old who commits armed robbery a "man", and one who violates the financial integrity of 26,000 innocents a "boy". The young men who probably spent many months planning and executing this crime are not seen as real criminals, just misguided youth. This seems to be a naive assumption. Setting up the most secure website possible is the social, and potentially legal responsibility of every e-commerce merchant who either solicits, processes, or stores confidential customer information. Further, and perhaps more convincing, a secure website is also a business imperative. There is no quicker way to lose customer confidence than to lose their credit card information (Myers, 2000). Limitations Tripwire reports are long. They are therefore tedious to analyze. Reading reports from Tripwire can be a cumbersome process. It is a time-consuming endeavor. Trost (2009) argues that Tripwire is outdated software. Its coding system is archaic. A server can function effectively without Tripwire. An antivirus
  10. 10. 10 TRIPWIRE is generally more effective. The user has the option to restore or delete corrupted files using an antivirus. Tripwire forces the user to deal with changes that may occur on a frequent basis. For example, if a file is altered after an auditing session, the Tripwire software will alert the user. This forced the administrator to deal with trivial changes to the system. Minor changes can therefore go unnoticed. Arnold (2001) states the following: Tripwire is much like the fabled elephant and the blind men: how you feel about it depends on the perspective from which you approach it. A person who has successfully used Tripwire to detect cracked binaries and/or system miss configurations will have nothing but praise for it. On the other hand, someone who has been "stuck in the trenches" reading through endless reports in an attempt to find problems, will think that it's a labor- intensive waste of time. Minimizing the labor required dictates that reports be as brief, and as infrequent, as they possibly can be made. Using Tripwire on a day-to-day basis can be an uncreative and essentially boring activity. On the other hand, if one can reduce the torrent of data that Tripwire provides, and makes it simpler to use than it is "out of the box", then using it can become bearable (if not necessarily palatable.) Fortunately, it is possible to reduce the time and effort required to administer Tripwire, as the next section of this discussion will illustrate (Arnold, 2001).
  11. 11. 11 TRIPWIRE The tripwire database has to be updated on a regular basis (Trost, 2009). Changes made to a system’s files prompt the user to update the software. Tripwire restricts users to a strict policy. There are terms and conditions that must be followed in order to use Tripwire effectively. The user is forced to resolve the system’s problems without the use of Tripwire. Tripwire does not remove malicious files. It does not get rid of viruses. The user is forced to do this without the use of Tripwire. According to Bejtlich (2005), Tripwire is fallible. Computer hackers can still access private files under the right circumstances. Tripwire does not serve the user as an antivirus. Trost (2009) argues that tripwire is not a firewall. It only compliments other security solutions. It cannot be used to restore a computer’s operating system (Bejtlich, 2005). Tripwire auditing must be done on a regular basis. It is a time-consuming process. The user is forced to do the work manually. File system auditing requires the use of unauthorized system resources. Tripwire does not allow the user to access these resources. The system therefore functions at a slower pace. Tripwire installation is restricted to ‘fresh’ systems. Installing Tripwire on a network is a long and cumbersome process. Only one user can install tripwire. This makes the installation process difficult. Tripwire also forces the administrator to format the system before
  12. 12. 12 TRIPWIRE installation. Corrupted files can be ignored after Tripwire is installed. Administrators are therefore forced to install the software twice. Installing Tripwire Installing Tripwire is a simple process. There are many ways to install Tripwire. An administrator can use his distribution’s package manager to download and install the software (Bejtlich, 2005). An administrator can also access the software through the Open Source Tripwire Project online. The installation process is mainly automatic. The user affirmatively clicks on taskbars in order to authorize the procedure. Linux distributors sometimes provide a utility that can be used to configure a given system (Bejtlich, 2005). They provide the user with setup scripts that can be used to install the software. Activating Tripwire Tripwire is activated using a ‘check’ key. The process can be automated by employing an integrity check. The user can then create a chronological job entry. This ensures that the system is checked regularly. This process requires the user to edit the system’s directory. Alternatively, the user can add an appropriate script to the directory (Bejtlich, 2005). The file should then be edited by adding a line for the execution of a tripwire check.
  13. 13. 13 TRIPWIRE Tripwire can also be activated if the software is run from another machine on the same network. This keeps hackers at bay. (Trost, 2009) suggests that the crontab line should have the following line where the host name is located: 0 2 * * * ssh-n-1 root target-host /usr/sbin/tripwire â€"check Most scholars advice users to make soft copies of their tripwire binary (Kohlenberg, Beale & Baker, 2007). The program can be run from the soft copy. For this procedure, the twcfg.txt file should be edited before the user signs in. Kohlenberg, Beale & Baker (2007) advise users to make the following changes to their /etc/twcfg.txt file: ROOT=/mnt/cdrom SITEKEYFILE=/mnt/cdrom/site.key LOCALKEYFILE=/mnt/cdrom/host-local.key Bejtlich (2005) suggests that this process is only applicable to CDROMs that mount at mnt/cdrom. Users should then sign the modified file and generate the Tripwire file. The CD-R can be removed when the process is complete. Tripwire checks can then be done by mounting the CD-R that contains the Tripwire binary (Northcutt & Novack, 2002).
  14. 14. 14 TRIPWIRE The executable binary should be stored in a non-writable storage device. This is done to protect the codes. The tripwire database can be updated by issuing the following commands: # LASTREPORT=`ls -1t /var/lib/tripwire/report/host-*.twr |head -1` # tripwire --update --twrfile "LASTREPORT" Tripwire creates an archive of the most commonly accessed files and folders in a server (Northcutt & Novack, 2002). The user is therefore able to compare these files to the ones on his or her hard drive. This process can be used to identify files that may have been stolen or corrupted. Tripwire is composed of an Open Source and a commercial version of the software. It is made up of four major components (Trost, 2009). These include the policy files, the database, the configuration files and the report files. The configuration file houses regulations that govern the e-mail notification system. It also houses the Tripwire files as well as the server’s miscellaneous data. Tripwire allows the user to customize the software settings. The Tripwire software can also be used to make notifications based on the user’s settings. Scanning the system creates report files (Kohlenberg, Beale & Baker, 2007). These reports inform the user about specific changes to the system.
  15. 15. 15 TRIPWIRE Conclusion Trost (2009) argues that despite its limitations, Tripwire is still an effective tool that that can be used to increase a system’s security. Tripwire is relatively effective. Administrators should therefore employ the use of an antivirus. Tripwire cannot get rid of corrupted files without the user’s consent. Kohlenberg, Beale & Baker (2007) advise administrators to invest in several integrity-auditing tools for their system. This will ensure that the system runs at optimum efficiency.
  16. 16. 16 TRIPWIRE References Arnold, E. R. (2001). The Trouble with Tripwire. Retrieved from: Bejtlich, R. (2005). Extrusion Detection. Security Monitoring for Internal Intrusions, 47(1), 37-107. Kohlenberg, T., Beale, J., Baker, A. R. (2007). Snort IDS and IPS Toolkit with CDROM. Intrusion Detection, 10(1), 234-309. Myers, M. (2000). Intrusion Detection Preliminaries. Sanitizing Your E- Commerce Web Servers. Retrieved from: preliminaries-sanitizing-your-e-commerce-web-servers Northcutt, S. & Novack, J. (2002). Network Intrusion Detection. Protecting Your System, 27(3), 442-512. Trost, R. (2009). Practical Intrusion. Analysis Prevention for the Twenty-First Century, 21(1), 230-457.