Xinwen Fu Tripwire Host Based Intrusion Detection System (HIDS) 91.580.203 Computer & Network...
-
date post
19-Dec-2015 -
Category
Documents
-
view
227 -
download
3
Transcript of Xinwen Fu Tripwire Host Based Intrusion Detection System (HIDS) 91.580.203 Computer & Network...
Xinwen Fu
Tripwire Host Based Intrusion Detection
System (HIDS)
91.580.203 Computer & Network Forensics
Dr. Xinwen Fu 2
CS@UML
Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron
Dr. Xinwen Fu 3
CS@UML
Where is the HIDS on the Internet?
http://www.inode.gr/img/internet_connection_small.jpg
Dr. Xinwen Fu 4
CS@UML
Tripwire - Basic Functions Monitor system files to find when an intruder has
made changes to those files for malicious intent Monitor the file-systems to find if any of the files
have been compromised by taking a “snapshot” of the file system and comparing that snapshot to an existing baseline
These comparisons are called Integrity checks Integrity checks detect changes in critical system
components and Tripwire generates a report on any change(s) that are detected
Tripwire does not, however, generate real-time alerts upon an intrusion
It does not help with Kernel Level Module (KLM) Rootkits
Dr. Xinwen Fu 5
CS@UML
Tripwire Flavors The Tripwire software is a System Integrity
Verifier (SIV) to validate the system security posture, and to assist in Security Auditing
Tripwire Comes in three flavors:
(1) Open Source Tripwire : text-based logging and command line to use (2) Tripwire for Servers (3) Tripwire Enterprise
Can be used in a straight Windows, straight Unix, or homogeneous network
Dr. Xinwen Fu 6
CS@UML
Key Tripwire Files There are a number of files used for managing these
components: Configuration File
Plaintext Configuration file: /etc/tripwire/twcfg.txt Signed Configuration file: /etc/tripwire/tw.cfg
Policy File Plaintext policy file: /etc/tripwire/twpol.txt Signed policy file: /etc/tripwire/tw.pol
Site Key file - /etc/tripwire/site.key Local Key file - /etc/tripwire/$HOSTNAME.local.key Database File - /var/lib/tripwire/$HOSTNAME.twd Report File - /var/lib/tripwire/$HOSTNAME-date-time.twr
Dr. Xinwen Fu 7
CS@UML
Key Tripwire Files Configuration file -- stores system-specific information that
controls Tripwire operations. The Configuration file should NOT be changed except through a Configuration Management Process
Policy file -- specifies how Tripwire software monitors the system. This file consists of a list of rules which specify system objects (directories and files) to monitor, and describes which changes to the objects should be reported and which ones can be ignored
Database file -- provides a snapshot of each host which is created by rules in the policy file in a known secure state. It is used as a baseline file to compare against the current state of the host to determine if any change has occurred
Dr. Xinwen Fu 8
CS@UML
Key Tripwire Files (Cont.) Report file -- records the changes detected during
an integrity check that violate the rules in the Policy file
Site Key File/Local Key file -- store public and private keys used to sign Tripwire files cryptographically prevent unauthorized modification Site key: sign Tripwire software configuration and policy
files. Local key: signs Tripwire database files and may sign the
Tripwire report files also To modify these files, you must provide the correct site or
local passphrase/password. These passphrases must be kept in a safe place because if they are lost or forgotten, they can not be recovered
Dr. Xinwen Fu 9
CS@UML
Tripwire Configuration and Mode of Operations The following items for Tripwire are Pre-set and
configured by The installer: Keys Policy and configuration A Tripwire baseline for each host
Mode of Operations The System Administrator should schedule Tripwire to
run during a “low time” of operations: Tripwire utilizes system resources that may considerably slow down system performance
The System Administrator should not make any changes to the file system on any host unless they are valid changes and the change is clearly understood
Dr. Xinwen Fu 10
CS@UML
How Tripwire works
Tripwire Work-Flow Diagram
tripwire
1. Stores a baseline "snapshot" of the data
2. An integrity check compares the baseline to the current state of the data to identify changes
3.1. Reports a violation for each change
3.2. You examine changes and take appropriate action. This may include restoring changed data or updating the baseline
Dr. Xinwen Fu 11
CS@UML
How Tripwire works - 1 of 3 The installer configures Tripwire with customized
Policy files to monitor the critical system resources on each host
Based on the customized policy, Tripwire creates a baseline snapshot of each host in a known good state (after system build, configuration, and lockdown but before connecting to network)
After the baseline is established, regular integrity checks are scheduled to run on each host, to monitor the hosts
Dr. Xinwen Fu 12
CS@UML
How Tripwire works - 2 of 3 An integrity check compares the baseline
to the current state of the data to identify changes
Dr. Xinwen Fu 13
CS@UML
How Tripwire Works - 3 of 3From Tripwire integrity check results: Tripwire compares the current system
state to the baseline on those file-system and rules specified in the Policy, and reports a violation for any change it detects
A System Administrator examines the Tripwire report to evaluate changes to the system and investigate the cause of the change
Dr. Xinwen Fu 14
CS@UML
How Tripwire Works - 3 of 3 (Cont.) If changes are malicious or unauthorized after
investigation, take appropriate measures, such as restoring changed files and reporting the incident
If changes are authorized/approved after investigation, update the baseline database to include the changes so that Tripwire no longer detects them as violations The installer will furnish updated baseline database and
policy file for authorized software patches and revisions. The System Administrator would not need to update the baseline database.
Dr. Xinwen Fu 15
CS@UML
System Administrator's Tasks Scheduling Tripwire to run
Monitoring the integrity check
Examining the Tripwire Reports
Evaluating violations and investigating those violations
Dr. Xinwen Fu 16
CS@UML
System Administrator's Tasks Reporting any unauthorized change under site
incident response policy and procedures, and taking corrective measures if necessary No authorized changes should be detected -- Some
“false-positives” will occur if the site’s trusted personnel install patches/revisions.
Software patches/revisions should also be provided on “gold-disk” which are pre-tested and installed by the installer.
Updating the Tripwire policy and database files
Dr. Xinwen Fu 17
CS@UML
Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron
Dr. Xinwen Fu 18
CS@UML
Install tripwire-2.4.0.1 Install from source
Get the software from http://sourceforge.net/projects/tripwire
tar jxvf tripwire-2.4.0.1-src.tar.bz2 cd tripwire-2.4.0.1 ./configure make ln -s contrib install # to remove some bug make install Then use the default configuration and policy, and build
the site key and local key Install by yum
yum install tripwire
Dr. Xinwen Fu 19
CS@UML
Creating and Signing the Configuration File After yum on Fedora Core 6, there exist only
/etc/tripwire/twcfg.txt and /etc/tripwire/twpol.txt
Initializing Keys Get into tripwire folder: cd /etc/tripwire Site key: twadmin -m G -S ./site.key Local key: twadmin –m G -L ./$HOSTNAME-local.key
Sign files Sign configuration file
twadmin --create-cfgfile -S site.key twcfg.txt Sign policy file
twadmin --create-polfile -S site.key twpol.txt
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-tripwire-update-policy.html
http://linuxgazette.net/106/odonovan.html
Dr. Xinwen Fu 20
CS@UML
Creating and Signing the Policy File Do not leave the plain-text versions of the
configuration and policy files on your hard drive Move them onto a floppy disk Or encrypt them using a utility such as GPG Ensure that the permissions of the signed files are set
such that they are only readable/writable by root: chmod 0600 tw.cfg tw.pol
Sign policy file and configuration file every time you change them
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html
Dr. Xinwen Fu 21
CS@UML
Manually Running a Tripwire Integrity Check Initialize Tripwire database
tripwire --init Check filesystem integrity and generate
reports tripwire --check
Check the report of the tripwire twprint -m r --twrfile
/var/lib/tripwire/report/yourmachinename-date-time.twr | less
Dr. Xinwen Fu 22
CS@UML
Examining and Evaluating Violations
Valid violations due to normal user activities Run an update based on the report
(will be asked for local passphrase) tripwire --update --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr
Valid violations due to normal system activities Examine the policy file, twpol.txt, and make the
appropriate changes Update the database without a complete re-initialization.
Note: make sure your database reflects the current status of the system based on the old policytripwire --update-policy /usr/local/etc/twpol.txt
Dr. Xinwen Fu 23
CS@UML
Create a New Baseline Database Delete the baseline database
rm /var/lib/tripwire/hostname.twd Create a new database
tripwire --init
Dr. Xinwen Fu 24
CS@UML
1. Install Tripwire and customize the policy file.
Section 19.3 Customizing Tripwire.2. Initialize the Tripwire database.
Section 19.4 Initialize the Tripwire Database.
3. Run a Tripwire integrity check. Section 19.5 Running an Integrity
Check.4. Examine the Tripwire report file.
Section 19.6.1 Viewing Tripwire Reports.
5. If unauthorized integrity violations occur, take appropriate security measures.
Either replace the original files from backup copies, reinstall the program, or completely reinstall the operating system.
6. If the file alterations are valid, verify and update the Tripwire database file.
Edit Tripwire's database file to ignore those changes in subsequent reports. For more information, see Section 19.7 Updating the Tripwire Database.
7. If the policy file fails verification, update the Tripwire policy file.
Update the supplied policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update the Tripwire database. For more information, see Section 19.8 Updating the Tripwire Policy File.
Tripwire Big Picture
Dr. Xinwen Fu 25
CS@UML
Customize your Policy File Policy file
/etc/tripwire/twpol.txt Policy guide
/usr/share/doc/tripwire-2.4.1.1/policyguide.txt
Dr. Xinwen Fu 26
CS@UML
Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron
Dr. Xinwen Fu 27
CS@UML
Run tripwire Checking Daily by Cron The cron daemon: crond
What time you want to run an application In the /etc directory you will probably find
some sub directories called 'cron.hourly', 'cron.daily', 'cron.weekly' and 'cron.monthly'
If you place a script into one of those directories it will be run either hourly, daily, weekly or monthly, depending on the name of the directory
http://www.unixgeeks.org/security/newbie/unix/cron-1.html
Dr. Xinwen Fu 28
CS@UML
More Flexible Cron /etc/crontab1. SHELL=/bin/bash2. PATH=/sbin:/bin:/usr/sbin:/usr/bin3. MAILTO=root4. HOME=/
5. # run-parts6. 01 * * * * root run-parts /etc/cron.hourly7. 02 4 * * * root run-parts /etc/cron.daily8. 22 4 * * 0 root run-parts /etc/cron.weekly9. 42 4 1 * * root run-parts /etc/cron.monthly
http://www.unixgeeks.org/security/newbie/unix/cron-1.html
Dr. Xinwen Fu 29
CS@UML
Flexible Cron - How to Run a Script
minute hour dom month dow user cmd minute what minute of the hour the command will run on, and
is between '0' and '59' hour what hour the command will run on, and is specified in
the 24 hour clock, values must be between 0 and 23 (0 is midnight)
dom the Day of Month, that you want the command run on, e.g. to run a command on the 19th of each month, the dom would be 19
month the month a specified command will run on, it may be specified numerically (0-12), or as the name of the month (e.g. May)
dow the Day of Week that you want a command to be run on, it can also be numeric (0-7) or as the name of the day (e.g. sun)
user the user who runs the command cmd This is the command that you want run. This field may
contain multiple words or spaces
Dr. Xinwen Fu 30
CS@UML
Examples of Running a Script If you don't wish to specify a value for a field, just
place a * in the field: means any Use the idea of Cross to explain a rule
minute hour dom month dow user cmd1. 01 * * * * root echo "This command is run at one min past every hour" 2. 17 8 * * * root echo "This command is run daily at 8:17 am" 3. 17 20 * * * root echo "This command is run daily at 8:17 pm" 4. 00 4 * * 0 root echo "This command is run at 4 am every Sunday" 5. * 4 * * Sun root echo "So is this" 6. 42 4 1 * * root echo "This command is run 4:42 am every 1st of the
month" 7. 01 * 19 07 * root echo "This command is run hourly on the 19th of July
Dr. Xinwen Fu 31
CS@UML
Network Time Protocol Get NTP package if not installed
yum install ntp NTP is a protocol designed to synchronize
the clocks of computers over a network NTP configuration file: /etc/ntp.conf
…… server 127.127.1.0 # local clock server 10.0.0.192 # add this server fudge 127.127.1.0 stratum 10 …….
Dr. Xinwen Fu 32
CS@UML
Using NTP Server to Synchronize Machines
1. Change File Permissions chown ntp:ntp /etc/ntp chown ntp:ntp /etc/ntp/*
2. To get NTP configured to start at boot chkconfig ntpd on
3. To start, stop and restart NTP after booting, follow these examples
service ntpd start service ntpd stop service ntpd restart
4. To test whether the NTP process is running pgrep ntpd
5. Determining If NTP Is Synchronized Properly ntpq -p
http://www.siliconvalleyccie.com/linux-hn/ntp.htm
Dr. Xinwen Fu 33
CS@UML
NTP Troubleshooting Wild time difference between local machine and
primary time server causes error (/var/log/messages)
Run the ntpdate -u command to force instant time synchronization with its NTP servers ntpdate is not a daemon Run: service ntpd stop Run ntpdate three times: ntpdate -u 192.168.1.100 Run: service ntpd restart
Dr. Xinwen Fu 34
CS@UML
References Open Source Tripwire, http://sourceforge.net/projects/tripwire Fedora Core tutorials, 2006,
http://www.unix-tutorials.com/tutorials.php?os=Fedora+Core Tripwire on your Fedora Box, April 15, 2005,
http://www.unix-tutorials.com/go.php?id=250 cogNiTioN, Newbie: Intro to cron, 30-Dec-99,
http://www.unixgeeks.org/security/newbie/unix/cron-1.html Trevor Warren, Intrusion Detection Systems: Part II - Installing
Tripwire, 2001-01-30, http://freeos.com/articles/3405/ Joey, Tripwire Setup Guide, September 19th, 2003,
http://www.linuxhelp.net/guides/tripwire Intrusion Detection with Tripwire,
http://www.akadia.com/services/tripwire.html The NTP Server, july 2005, http://www.siliconvalleyccie.com/linux-
hn/ntp.htm#_Toc91350036
Dr. Xinwen Fu 35
CS@UML
nmap - Network exploration tool and security scanner Scan large networks to determine
Which hosts are up What operating system the network unit uses What network services they are offering
Support a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan
Dr. Xinwen Fu 36
CS@UML
Live Demo: Network mapper – nmap Guess remote host OS
nmap –sS –O 10.0.0.192
Dr. Xinwen Fu 37
CS@UML
nmap Examples nmap -v scanme.nmap.org
This option scans all reserved TCP ports on the machine scanme.nmap.org
-v option enables verbose mode. nmap -sS -O scanme.nmap.org/24
-sS: Launches a stealth SYN scan against each machine that is up out of the 255 machines on class c network where scanme resides
-O: It also tries to determine what operating system is running on each host that is up and running.
This requires root privileges because of the SYN scan and OS detection.
Dr. Xinwen Fu 38
CS@UML
nmap Examples (Cont.) nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
198.116.0-255.1-127: Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the 198.116 class B address space.
-p 22,53,110,143,4564: This tests whether the systems run sshd, DNS, pop3d, imapd, or port 4564
-sV: For any of these ports found open, version detection is used to determine what application is running
Dr. Xinwen Fu 39
CS@UML
Notes Cygwin conflicts with openssh
Dr. Xinwen Fu 40
CS@UML
Assignment 5: Find Topology of IA Lab Your group machine root
password: forensicsforensics
InternetInternet
ialab.dsunix.net
Cisco Catalyst 2900 24 Switch
D-Link Hub
Cisco Catalyst 29XX 24 Switch
10.0.0.101 10.0.0.102
10.0.0.19210.0.0.55