LINUX SECURITY --- August 15, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Tripwire helps add a little peace of mind.
*********************************************************************
Integrity Checking Through Tripwire
by Rick Johnson
It's late on a Saturday night and you've settled into bed. Just as you
drift off to sleep, a ringing phone snaps you back to reality. Your
network has been cracked! Acting with finely honed instincts as your
guide, you expertly fix the hole and restore order out of chaos.
However, you are left with one the nagging question, "What did they
change?" Had installed Tripwire, that question would be easy to answer.
Tripwire (available from http://www.tripwire.com) creates a database of
important system files called a "snapshot" or baseline of a computer
system in a known secure state. You specify the directories and files
that you want to monitor as well as the properties (last write time,
file size, access permissions) for each file. The information is then
stored in the Tripwire database file. Tripwire detects and reports any
additions, deletions, or changes to the system outside of the specified
boundaries. If these changes are valid, the administrator can update the
baseline database with the new information. However, if malicious
changes are found, then the security engineer will instantly know which
parts of the network's components have been affected.
Note from Tripwire: The free version of Tripwire is officially supported
on RedHat 5.2 and 6.0. Other distributed versions of Linux are not
officially supported, but basic functionality has been verified on
RedHat 6.1, and various distributions of Debian, Caldera, Open Linux,
and SuSE systems using Linux kernel 2.0.36 or higher.
Installation itself is fairly simple. First, you download the package;
then you must un-tar and un-gzip the downloaded file. The rest must be
done as root. Next you simply type:
./install.sh
This command begins the installation process, which will ask you to
accept the License Agreement as well as where to install the files.
Finally, you will need to choose the site and local Keyfile Passphrase.
Make sure that you choose different passphrases for each. This will
yield an installation with all the provided defaults; of course, you
should customize the policy file to forge a better match for your
particular system. After installation and any custom configurations, be
sure to delete the twcfg.txt and twpol.txt plaintext files.
The next step is to initialize the baseline database using the command:
/usr/TSS/bin/tripwire ---init
I highly recommend storing a copy of the database on read-only media to
minimize the risk of a database compromise. Although a remote
possibility, there is no sense in taking chances.
To verify the system you can run a basic integrity check with the
following command:
/usr/TSS/bin/tripwire --check --interactive
This command will cause Tripwire to use the rules in the policy file to
review the current state of the system and compare the results to the
database file. The interactive option allows Tripwire to open up the
final report in vi once it finishes the comparison.
I have only scratched the surface of the possible commands Tripwire has
to offer and, while this tutorial is by no means complete, it should be
enough to get you started. The peace of mind offered by Tripwire is
invaluable to the ever-stressed security engineer. Without it, you will
never really know if you can trust your server.
Resources
Tripwire: The next generation of security tools
Host-level devices send up flares when files are changed.
http://www.sunworld.com/sunworldonline/swol-02-2000/swol-02-security.html
Securing your network: An introduction to TCP wrappers
With wrappers, there is no need to modify existing daemons.
http://www.sunworld.com/sunworldonline/swol-06-2000/swol-06-tcp.html
Forensics
Getting to the bottom of a security breach.
http://www.sunworld.com/sunworldonline/swol-07-2000/swol-0721-security.htm
l
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>