Return to UOCC HomeComputing News Home
Header bar

Concerned About File System Integrity? Try Some of These Useful Tools [Tripwire | AIDE | FCheck]

Stephen Fromm
stephenf@ns.uoregon.edu


The ability to track changes to files over time is an important tool in a computer system's overall defenses.

Tools that have this ability (i.e., "file system integrity" or "Tripwire-like" tools) give administrators an important edge in host-based intrusion detection by keeping a database of information regarding each file. Such information typically includes the permissions, user and group owners, time modified, size, and cryptographic checksum of a file, among other measurements.

File system integrity tools allow an administrator to detect system changes, whether they're intended or notÑand even more importantly, an administrator can quickly determine what files have been changed in the event of a system compromise. Not only is a system compromise noticeable, but recovery is easier. (However, note that file system integrity tools are not a replacement for system hardening. You should also implement whatever measures are necessary to prevent a system compromise.)

A number of file system integrity tools are currently available, some at no charge. You'll find many of them listed at http://www.securityfocus.com, under IDS -> Tools -> File Integrity. Three commonly used tools are Tripwire, AIDE, and FCheck, all of which are described in more detail below.

It's also possible to write your own set of scripts for monitoring file systems, but no matter which method you choose, be sure to back up the database created by these programs on removable media, such as a floppy or CDR.

Tripwire [back to top]
http://www.tripwire.com
http://www.tripwire.org

Tripwire is a commercial program that supports a number of platforms, including WindowsNT/Windows2000, Solaris, and Linux (for more details, see http://www.tripwire.com/products/). The software, minus some of the commercial version's feature set, is freely available for Linux (see http://www.tripwire.org) and comes in rpm and tar formats (no source code provided).

When you're setting up Tripwire, the program first asks you for a passphrase that's used to sign a number of files such as the policy, configuration, and database files. After it signs them, you must create a baseline database for later comparison with the files on your system.

Tripwire allows you to categorize groups of files according to their security risk. The defaults are SIG_LOW (noncritical files of minimal security impact), SIG_MED (noncritical files of significant security impact), and SIG_HI (critical files of significant security impact). Once you've established these categories, you can then specify which properties to check.

Two important features of Tripwire allow you customize your environment: the ability to check 18 individual different properties, four of which are cryptographic checksums (md5, haval, sha1, and crc-32), and the ability to define a variable that specifies your own combination of properties to check.

Besides writing reports to a file, Tripwire can send messages to syslog for specific events, and email notifications to the administrator. The ability to send reports via email is an added convenience.

AIDE [back to top]
http://www.cs.tut.fi/~rammer/aide.html

AIDE (Advanced Intrusion Detection Environment) runs on many modern Unix platforms and is freely available under GPL. It is compiled and installed like many other software packages (e.g., ./configure; make; make install), but unfortunately, it does not run on Windows platforms.

In addition to a compiler, you'll need GNU Flex (ftp://ftp.gnu.org/pub/gnu/flex), GNU Bison (ftp://ftp.gnu.org/pub/gnu/bison), and GNU Make (ftp://ftp.gnu.org/pub/gnu/make) to compile AIDE.

If you want to use mhash support, you'll also need the mhash library (http://schumann.cx/mhash/). And finally, if you want to use Postgres SQL for database storage, you'll need the postgres sql developer library (http://www.postgreSQL.org/).

AIDE's configuration file is very much like Tripwire's. It can check 15 individual properties of a file, four of which are cryptographic checksums (md5, sha1, rmd160, and tiger). It can also optionally support haval, gost, and crc-32 cryptographic checksums.

AIDE, like Tripwire, can check combinations of properties. One interesting feature of AIDE is its ability to use regular expressions to determine what parts of the file system to check.

You can also define selections so that AIDE will either not check anything that matches your criteria, or it will only check those that specifically match your criteria. For example, you could define =/tmp, which would add only /tmp to the database, excluding its children. Or, you could define !/dev and ignore the entire /dev directory structure.

Finally, you also have the ability to control input and output from AIDE, as long as they don't come from the same place. The options available are STDIN, STDOUT, STDERR, a file, and a file descriptor. Unfortunately, AIDE does not directly support emailing reports after comparing the database with the current status of the file system.

FCheck [back to top]
http://www.geocities.com/fcheck2000/

FCheck is a Perl script written to monitor changes to files and directories over time. It requires a working distribution of Perl to be in place. Because itÔs written in Perl, FCheck can run on a large number of systems, including Windows, *BSD, Linux, and Solaris.

FCheck is a simplified version of Tripwire and AIDE. While it can perform cryptographic checksums on files, it relies on external executables to accomplish this. Consequently, support for this on non-Unix platforms is dependent on whether such an executable is available (e.g., md5sum). FCheck does check the standard elements such as permissions, device, time last modified, and size of the file. It can also log a report summary to a system log file (e.g., via syslog) in addition to printing it to STDOUT.

With FCheck, you can also configure which files and directories to check, and determine whether directories should be checked recursively.
While FCheck is not as comprehensive as either Tripwire or AIDE, its portability and simplicity are appealing.

FCheck is a good example of a the kind of script you might write for yourself. Homegrown scripts, utilizing binaries that already exist on your system, can achieve much of the same functionality as tools like AIDE and Tripwire.

This can easily be implemented on a Unix system with standard utilities such as find, diff, and md5sum. For example, to monitor /bin and /usr/bin, you'd write:

# find /bin /usr/bin -type f -print0 | xargs \
-0 ls -l --full-time > permissions

# find /bin /usr/bin -type f -print0 | xargs \
-0 md5sum > checksums

Some operating systems also have the ability to check the integrity of installed packages. For example, on Linux systems that use rpm, you could use the command rpm -V -a to check the status of all installed packages. This will check the status of each file's md5sum, as well as file size, symlink, time modified, device, user and group owners, and permissions.

If a file fails the md5sum, file size, and permissions test, it may have been compromised. For example,

SM5..... /usr/bin/top

would show that the file size, permissions, and md5sum have changed for the file /usr/bin/top since it was installed on the computer.
Properly implemented, a file system integrity tool can be a useful part of a system's defenses. In the event of a system compromise, the tool enables you to quickly identify files than have been tampered with.

When using a file system integrity tool, it's important to remember two things:

1) always keep a backup of the database off-line on a floppy or CDR so that you have a secure copy

2) file system integrity tools are only one part of overall system security; other security measures are equally important and should not be neglected.

Spring 2001 Computing News | Computing Center Home Page