Who's Got Root? Find Out With Tripwire
Got Root? Does someone else? You spend a lot of time securing your systems, but how do you know if they've been compromised? Tripwire can tell you. Carla Schroder explains.
Your network groans under the weight of monitors and alarms. Every packet, every bit is inspected, scrutinized, sanitized, and organized. Surely it is time to relax and take it easy. Except for one little nagging worry- if an intruder slides through all the barriers, past all the traps, and successfully cozies into a snug corner, how will you know?
Most security applications are reactive: they look for evidence of known exploits. Tripwire doesn't need a personal introduction to villains, it detects any suspicious changes. It creates a baseline snapshot of a system when it is in a known good state, then makes comparisons against this baseline. When files change that shouldn't, such as system binaries, or registry objects, Tripwire will tell you. If the changes are valid, the Tripwire database can be updated. If there is a problem, the ace admin will know exactly what was affected.
It is not meant to replace other security measures, or to be the sole security measure. It monitors the integrity of your perimeter watchdogs- 'watches the watchers'- a most useful ability, as firewalls and routers are prime targets of attack. It monitors the integrity of internal systems, detecting and reporting changes no matter where they originate, from the inside or outside. Other intrusion detectors typically search for signatures of known exploits, which is useful as long as only known exploits are used against you.
Tripwire lives in two worlds: commercial, and free. The commercial Tripwire supports many platforms:
- Compaq Tru64 UNIX
- IBM AIX
- HP UX
It comes in many forms:
- Tripwire for Servers
- Tripwire for Network Devices
- Tripwire for Web Pages
...to name but a few. Extensive support and training are available. There are two free versions, Tripwire Academic Source Release, and Tripwire Open Source, Linux Edition. ASR is the oldest and least feature-featureful, and runs on commercial Unixes. Tripwire released the Open edition in 2001 under the GPL, and still contributes to its development. The Open edition is similar to Tripwire for Servers; there is even an upgrade path for users who want support, and additional features.
Not Just Intrusion Detection
Change management and validation can be applied in all sorts of ways. Tripwire for Network Devices is a central management console for routers and switches, detecting unauthorized change to routing and configuration tables. Things can happen by mistake; Tripwire does not judge stupidity or malice, it merely detects the fruits thereof, and sounds the alert.
File integrity checks are useful for tracking down and diagnosing difficult problems, by pinpointing changes. A friend of mine loves using Tripwire for system 'lockdown'; she can easily find unauthorized software that users have installed. Even better, it's someone else's job to deal with the offenders, all she has to do is find them and fink them off.
Tripwire is adept at ferreting out rootkits. Utilities such as chkrootkit are good for detecting known rootkits, but aren't much good when something new is released into the world. A successful intruder will typically replace system binaries, such as ps, netstat, passwd, login, and so forth, with trojaned binaries. The names are the same, but the programs definitely are not. The idea is to cover their tracks, and to remain undetected. It's not even much work, there are many rootkits floating around the Internet that do all the heavy lifting.
There's no point to installing Tripwire on an old system. It must have a clean start. Do not connect to any network, trusted or untrusted. Some say merely to avoid untrusted networks; I say all networks are not to be trusted!
Write-protected floppy disks or CDRs should be used to store the Tripwire executable, configuration file, and the initial snapshot database. Tripwire uses encryption and signing; that's no excuse for not taking elementary precautions. Encryption does not protect against everything, like deletion, or clever file substitution by an insider. The disks containing the initial snapshot should be well-guarded. It takes a couple of hours to learn how to use and configure Tripwire, it will take several days to define a policy set that does not give too many false alarms, or that does not miss something significant. The initial database can be updated as rules and policies are refined.
There are four basic Tripwire components that the ace admin will be concerned with: policy file, database file, report file, and configuration file.
The policy file contains all the rules that define what Tripwire will get excited about, and what it will ignore. Rules can get as fine-grained and gnarly as you like; use all the available attributes of the platform being monitored. Unix nerds can really go to town with rules.
The database is the heart of Tripwire. Build this correctly at the beginning, with a reasonably sane policy file, and life will run smoothly forever after.
Report files are generated with every integrity check. Typically they are emailed to whoever is supposed to review them. It is probably a good idea to read them. As soon they arrive. Yes, yet another report to review. Report formats are configurable, from voluminous to terse.
The Tripwire configuration file contains all the system-specific information: file locations, email configuration for notifications, and so forth. The usual admin stuff, no big drama here. Just remember to store these files on a removeable, write-protected disk.
An integrity check can be run just about any way the admin needs: full system, specific files, different severity levels -- anything defined in a ruleset can be singled out for checking. Tripwire is extremely flexible and configurable. Basic operations can be learned in an hour or two, learning newer and better ways to use it is an ongoing exercise.
Next week we'll dig into the fun stuff: building policies and rulesets.