2004, jei tripwire an intrusion detection tool information networking security and assurance lab...

2004, Jei

TripwireAn Intrusion Detection Tool

Information Networking Security and Assurance LabNational Chung Cheng University

Outline

What, How and The GoalOverviewExampleConclusion


Description

Tripwire software is a tool that checks to see what has changed on your system

Tripwire creates a database of advanced mathematical checksums to take a snapshot of a system’s file properties and contents

The tripwire monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc

Web Site

Open source http://www.tripwire.org

Commercial version http://www.tripwire.com

Latest version http://sourceforge.net/projects/tripwire/


Outline



Three passwords you must set

site keyfile passphraselocal keyfile passphraseyour site passphrase


The files you must know

$HOSTNAME-local.key Database and report files

Site-key Configuration and policy files

tw.cfg Binary file

twcfg.txt Clear text

tw.pol Binary file

twpol.txt Clear text

The command

tripwiretwadmintwprintsiggen


The mode of tripwire

Database initialization mode #tripwire –m i [options]

Integrity checking mode #tripwire –m c [options] [object1 [object2…]]

Database update mode #tripwire –m u [options]

Policy update mode #tripwire –m p [options] policyfile.txt

Test mode #tripwire –m t [options]

The operation of twadmin Creating a configuration file

#twadmin –m F [options] cfg.txt Printing a configuration file

#twadmin –m f [options] Replacing a policy file

#twadmin –m P [options] policyfile.txt Printing a policy file

#twadmin –m p [options] Removing encryption from a file

#twadmin –m r [options] file1 [file2…] Encrypting a file

#twadmin –m E [options] file1 [file2…] Examine encryption of a file

#twadmin –m e [options] file1 [file2…] Generate a key

#twadmin –m G [options]

The mode of twprint

Report printing mode #twprint –m r [options]

Database printing mode #twprint –m d [options]


The operation of siggen

A utility displays the hash function values for the specified files #siggen [options] file1 [file2…]


Outline



Installation OS

Debian GNU/Linux The test directory

/root/test_attack exe.cpp, ifs.inc, quota, sc-bw.zip

Get the package of tripwire http://www.tripwire.org/downloads/index.php

Untar and unzip the package

Go to the tripwire directory

Installation

Execute the script of installation

License agreement

The operation that tripwire will do

InstallationEnter the site keyfile passph

rase

Enter the local keyfile passphrase

Enter your site passphrase

Installation

Succeed

Create a policy file

testpolicy.txt

The directory you want to checkIndicate the

configuration file

The policy file you want to create

Indicate the site keyflie

The clear-text file

Check the policy file

The crypted policy file

No mistake…


Initial the database

You must indicate the policy file

The database file

Check your database file

Indicate the database file

The files are included in the /root/test_attack

Check your system

The command

You must care


Modify your system

Operation Modify the exe.cpp Add the file “ceo” to /root/test_attack

The operation you do

Update your database

Indicate the latest report file

Be sure the modificationInformation Networking Security and Assurance Lab

National Chung Cheng University

The crontab

Using “crontab” to run Tripwire check every day as 0:00 and the output will be mailed to [email protected]


/etc/tripwire/tw.cfg/etc/tripwire/tw.pol


Outline



Secure In-Depth


Reference

http://www.linuxforum.com/http://

www.tslg.idv.tw/modules/freecontent/index.php?id=12


2004, jei tripwire an intrusion detection tool information networking security and assurance lab...

Documents

t options slide

g options slide

p options

f options

options integrity

r options file1 file2

jei tripwire

e options file1 file2