Tripwire - The Only Way to Really Know

Install a file integrity checking like Tripwire and you will never again have to guess whether you have been hacked. This article by Jay Beale explains the functionality of Tripwire as well as how to install and use it.

 By Jay Beale
Page 1 of 3
Print Article

So you think you may have been hacked, but you're really not sure 'cause some crackers seem pretty stealthy (1). There really is only one way to know - employ a file integrity checker, like Tripwire or AIDE. In this article, I'll explain why you need Tripwire/AIDE, what they do, and how you can deploy Tripwire. I'll give you a sample configuration that you can tune.

By the way, I'd like to thank Ben Tilly, Dr. Ernst-Udo Wallenborn, Matt Gischer, Mike Redan, and Kurt Seifried, who answered my last article's question on the SUID root PAM programs.

Why Do I Need Tripwire?

A cracker breaks into a system by exploiting an already present vulnerability. After he hacks your computer, he'll usually install a rootkit and create or install several Trojan horses. The rootkit replaces many of your system utilities to hide the attacker's activities. For instance, it replaces your ps command with one that will not show the attacker's programs. The Trojan horse (2) programs give the attacker a means to get back into your system with root, so they don't have to use the same exploit over and over. (Sometimes, the cracker will even patch the original vulnerability, to protect his new property!)

"Often, the cracker doesn't want to disrupt your use/business - he just wants a launching platform for IRC bots, DDoS programs, and sniffers."

Your first (smaller) problem is this: you may not even know you've been hacked! Often, the cracker doesn't want to disrupt your use/business - he just wants a launching platform for IRC bots, DDoS programs, and sniffers. He'll use his rootkit to stay out of sight and the Trojan horses to regain access to the system without tripping most forms of IDS. But, what if you do manage to realize you've been hacked?

Your second, larger, problem comes in here: you don't know what's changed on your system. Your system diagnostic tools have all been replaced by a rootkit! You can't trust ps, top, w, or even ls...! You need some way of figuring out exactly what files have changed, so you can put things back, patch any vulnerabilities, and trust your own system again. You need a file integrity checker. You absolutely, positively gotta kill every last illegal binary in the room. Accept no substitutes!

What Does Tripwire Do?

Tripwire, the original file integrity checker, monitors changes to the filesystem, including your binaries like ps, w, ls and so on... It accomplishes this by storing extended data on every important file in your system. It stores each file's size, mode, last modification time, and all the other major data in the inode. It also computes a series of "signatures" for each file, which it uses to keep track of changes to the file's contents. You run Tripwire whenever you want to check that no one has tampered with any of these files. Tripwire checks that database to look for changes to file meta-data. It also confirms that file contents haven't changed by re-computing the signature and comparing with its stored value.

These signatures are the output of one-way-hash-functions(3), like md5 and NIST's Secure Hash Algorithm.. Signatures have two essential properties. First, a small change in the file contents produces a substantial change in the signature itself. So, if I make a two character (but dangerous) change to my /etc/passwd file, changing the line.




will change the signature radically. Here are the corresponding md5 values, taken by md5sum:

6e59239d37ebff43e984725530b868a1  /etc/passwd  (before)     
f287eeeb1074bef6e33f075e62bdc6b4  /etc/passwd  (after)

The change in the md5 signature is extreme! The other essential property of these signature algorithms is that it is pratically impossible to generate two files with the same signature. If a signature algorithm didn't hold this property, then an attacker could make the two character change above, but then use a program to pad the file with whitespace/noise characters to get the same signature.

This article was originally published on Oct 17, 2000
Get the Latest Scoop with Networking Update Newsletter