Download
1 / 30
310 likes | 531 Vues
INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Tripwire. An Intrusion Detection Tool. INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Outline. What, How and The Goal Overview Example Conclusion. INSA.
E N D
INSA Information Networking Security and Assurance Lab National Chung Cheng University Tripwire An Intrusion Detection Tool 2004, Jei
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • What, How and The Goal • Overview • Example • Conclusion
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • What, How and The Goal • Overview • Example • Conclusion
Description • Tripwire software is a tool that checks to see what has changed on your system • Tripwire creates a database of advanced mathematical checksums to take a snapshot of a system’s file properties and contents • The tripwire monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc
INSA Information Networking Security and Assurance Lab National Chung Cheng University Web Site • Open source • http://www.tripwire.org • Commercial version • http://www.tripwire.com • Latest version • http://sourceforge.net/projects/tripwire/
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • What, How and The Goal • Overview • Example • Conclusion
INSA Information Networking Security and Assurance Lab National Chung Cheng University Three passwords you must set • site keyfile passphrase • local keyfile passphrase • your site passphrase
The files you must know • $HOSTNAME-local.key • Database and report files • Site-key • Configuration and policy files • tw.cfg • Binary file • twcfg.txt • Clear text • tw.pol • Binary file • twpol.txt • Clear text
INSA Information Networking Security and Assurance Lab National Chung Cheng University The command • tripwire • twadmin • twprint • siggen
The mode of tripwire • Database initialization mode • #tripwire –m i [options] • Integrity checking mode • #tripwire –m c [options] [object1 [object2…]] • Database update mode • #tripwire –m u [options] • Policy update mode • #tripwire –m p [options] policyfile.txt • Test mode • #tripwire –m t [options]
The operation of twadmin • Creating a configuration file • #twadmin –m F [options] cfg.txt • Printing a configuration file • #twadmin –m f [options] • Replacing a policy file • #twadmin –m P [options] policyfile.txt • Printing a policy file • #twadmin –m p [options] • Removing encryption from a file • #twadmin –m r [options] file1 [file2…] • Encrypting a file • #twadmin –m E [options] file1 [file2…] • Examine encryption of a file • #twadmin –m e [options] file1 [file2…] • Generate a key • #twadmin –m G [options]
INSA Information Networking Security and Assurance Lab National Chung Cheng University The mode of twprint • Report printing mode • #twprint –m r [options] • Database printing mode • #twprint –m d [options]
INSA Information Networking Security and Assurance Lab National Chung Cheng University The operation of siggen • A utility displays the hash function values for the specified files • #siggen [options] file1 [file2…]
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • What, How and The Goal • Overview • Example • Conclusion
Installation • OS • Debian GNU/Linux • The test directory • /root/test_attack • exe.cpp, ifs.inc, quota, sc-bw.zip • Get the package of tripwire • http://www.tripwire.org/downloads/index.php Go to the tripwire directory Untar and unzip the package
Installation Execute the script of installation License agreement The operation that tripwire will do
Installation Enter the site keyfile passphrase Enter your site passphrase Enter the local keyfile passphrase
Installation Succeed
Create a policy file testpolicy.txt The directory you want to check Indicate the configuration file Indicate the site keyflie The policy file you want to create The clear-text file
INSA Information Networking Security and Assurance Lab National Chung Cheng University Check the policy file The crypted policy file No mistake…
Initial the database You must indicate the policy file The database file
Check your database file Indicate the database file The files are included in the /root/test_attack
INSA Information Networking Security and Assurance Lab National Chung Cheng University Check your system The command You must care
Modify your system • Operation • Modify the exe.cpp • Add the file “ceo” to /root/test_attack The operation you do
INSA Information Networking Security and Assurance Lab National Chung Cheng University Update your database Indicate the latest report file Be sure the modification
INSA Information Networking Security and Assurance Lab National Chung Cheng University The crontab Using “crontab” to run Tripwire check every day as 0:00 and the output will be mailed to m9335@cn.ee.ccu.edu.tw
INSA Information Networking Security and Assurance Lab National Chung Cheng University /etc/tripwire/tw.cfg /etc/tripwire/tw.pol
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • What, How and The Goal • Overview • Example • Conclusion
INSA Information Networking Security and Assurance Lab National Chung Cheng University Secure In-Depth
INSA Information Networking Security and Assurance Lab National Chung Cheng University Reference • http://www.linuxforum.com/ • http://www.tslg.idv.tw/modules/freecontent/index.php?id=12
