Post on 21-Dec-2015
2004, Jei
TripwireAn Intrusion Detection Tool
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
What, How and The GoalOverviewExampleConclusion
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
What, How and The GoalOverviewExampleConclusion
Information Networking Security and Assurance LabNational Chung Cheng University
Description
Tripwire software is a tool that checks to see what has changed on your system
Tripwire creates a database of advanced mathematical checksums to take a snapshot of a system’s file properties and contents
The tripwire monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc
Web Site
Open source http://www.tripwire.org
Commercial version http://www.tripwire.com
Latest version http://sourceforge.net/projects/tripwire/
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
What, How and The GoalOverviewExampleConclusion
Information Networking Security and Assurance LabNational Chung Cheng University
Three passwords you must set
site keyfile passphraselocal keyfile passphraseyour site passphrase
Information Networking Security and Assurance LabNational Chung Cheng University
The files you must know
$HOSTNAME-local.key Database and report files
Site-key Configuration and policy files
tw.cfg Binary file
twcfg.txt Clear text
tw.pol Binary file
twpol.txt Clear text
The command
tripwiretwadmintwprintsiggen
Information Networking Security and Assurance LabNational Chung Cheng University
The mode of tripwire
Database initialization mode #tripwire –m i [options]
Integrity checking mode #tripwire –m c [options] [object1 [object2…]]
Database update mode #tripwire –m u [options]
Policy update mode #tripwire –m p [options] policyfile.txt
Test mode #tripwire –m t [options]
The operation of twadmin Creating a configuration file
#twadmin –m F [options] cfg.txt Printing a configuration file
#twadmin –m f [options] Replacing a policy file
#twadmin –m P [options] policyfile.txt Printing a policy file
#twadmin –m p [options] Removing encryption from a file
#twadmin –m r [options] file1 [file2…] Encrypting a file
#twadmin –m E [options] file1 [file2…] Examine encryption of a file
#twadmin –m e [options] file1 [file2…] Generate a key
#twadmin –m G [options]
The mode of twprint
Report printing mode #twprint –m r [options]
Database printing mode #twprint –m d [options]
Information Networking Security and Assurance LabNational Chung Cheng University
The operation of siggen
A utility displays the hash function values for the specified files #siggen [options] file1 [file2…]
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
What, How and The GoalOverviewExampleConclusion
Information Networking Security and Assurance LabNational Chung Cheng University
Installation OS
Debian GNU/Linux The test directory
/root/test_attack exe.cpp, ifs.inc, quota, sc-bw.zip
Get the package of tripwire http://www.tripwire.org/downloads/index.php
Untar and unzip the package
Go to the tripwire directory
Installation
Execute the script of installation
License agreement
The operation that tripwire will do
InstallationEnter the site keyfile passph
rase
Enter the local keyfile passphrase
Enter your site passphrase
Create a policy file
testpolicy.txt
The directory you want to checkIndicate the
configuration file
The policy file you want to create
Indicate the site keyflie
The clear-text file
Check the policy file
The crypted policy file
No mistake…
Information Networking Security and Assurance LabNational Chung Cheng University
Check your system
The command
You must care
Information Networking Security and Assurance LabNational Chung Cheng University
Modify your system
Operation Modify the exe.cpp Add the file “ceo” to /root/test_attack
The operation you do
Update your database
Indicate the latest report file
Be sure the modificationInformation Networking Security and Assurance Lab
National Chung Cheng University
The crontab
Using “crontab” to run Tripwire check every day as 0:00 and the output will be mailed to m9335@cn.ee.ccu.edu.tw
Information Networking Security and Assurance LabNational Chung Cheng University
/etc/tripwire/tw.cfg/etc/tripwire/tw.pol
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
What, How and The GoalOverviewExampleConclusion
Information Networking Security and Assurance LabNational Chung Cheng University