Xinwen Fu

Tripwire Host Based Intrusion Detection

System (HIDS)

91.580.203 Computer & Network Forensics

Dr. Xinwen Fu 2

CS@UML

Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron

Dr. Xinwen Fu 3

CS@UML

Where is the HIDS on the Internet?

http://www.inode.gr/img/internet_connection_small.jpg

Dr. Xinwen Fu 4

CS@UML

Tripwire - Basic Functions Monitor system files to find when an intruder has

made changes to those files for malicious intent Monitor the file-systems to find if any of the files

have been compromised by taking a “snapshot” of the file system and comparing that snapshot to an existing baseline

These comparisons are called Integrity checks Integrity checks detect changes in critical system

components and Tripwire generates a report on any change(s) that are detected

Tripwire does not, however, generate real-time alerts upon an intrusion

It does not help with Kernel Level Module (KLM) Rootkits

Dr. Xinwen Fu 5

CS@UML

Tripwire Flavors The Tripwire software is a System Integrity

Verifier (SIV) to validate the system security posture, and to assist in Security Auditing

Tripwire Comes in three flavors:

(1) Open Source Tripwire : text-based logging and command line to use (2) Tripwire for Servers (3) Tripwire Enterprise

Can be used in a straight Windows, straight Unix, or homogeneous network

Dr. Xinwen Fu 6

CS@UML

Key Tripwire Files There are a number of files used for managing these

components: Configuration File

Plaintext Configuration file: /etc/tripwire/twcfg.txt Signed Configuration file: /etc/tripwire/tw.cfg

Policy File Plaintext policy file: /etc/tripwire/twpol.txt Signed policy file: /etc/tripwire/tw.pol

Site Key file - /etc/tripwire/site.key Local Key file - /etc/tripwire/$HOSTNAME.local.key Database File - /var/lib/tripwire/$HOSTNAME.twd Report File - /var/lib/tripwire/$HOSTNAME-date-time.twr

Dr. Xinwen Fu 7

CS@UML

Key Tripwire Files Configuration file -- stores system-specific information that

controls Tripwire operations. The Configuration file should NOT be changed except through a Configuration Management Process

Policy file -- specifies how Tripwire software monitors the system. This file consists of a list of rules which specify system objects (directories and files) to monitor, and describes which changes to the objects should be reported and which ones can be ignored

Database file -- provides a snapshot of each host which is created by rules in the policy file in a known secure state. It is used as a baseline file to compare against the current state of the host to determine if any change has occurred

Dr. Xinwen Fu 8

CS@UML

Key Tripwire Files (Cont.) Report file -- records the changes detected during

an integrity check that violate the rules in the Policy file

Site Key File/Local Key file -- store public and private keys used to sign Tripwire files cryptographically prevent unauthorized modification Site key: sign Tripwire software configuration and policy

files. Local key: signs Tripwire database files and may sign the

Tripwire report files also To modify these files, you must provide the correct site or

local passphrase/password. These passphrases must be kept in a safe place because if they are lost or forgotten, they can not be recovered

Dr. Xinwen Fu 9

CS@UML

Tripwire Configuration and Mode of Operations The following items for Tripwire are Pre-set and

configured by The installer: Keys Policy and configuration A Tripwire baseline for each host

Mode of Operations The System Administrator should schedule Tripwire to

run during a “low time” of operations: Tripwire utilizes system resources that may considerably slow down system performance

The System Administrator should not make any changes to the file system on any host unless they are valid changes and the change is clearly understood

Dr. Xinwen Fu 10

CS@UML

How Tripwire works

Tripwire Work-Flow Diagram

tripwire

1. Stores a baseline "snapshot" of the data

2. An integrity check compares the baseline to the current state of the data to identify changes

3.1. Reports a violation for each change

3.2. You examine changes and take appropriate action. This may include restoring changed data or updating the baseline

Dr. Xinwen Fu 11

CS@UML

How Tripwire works - 1 of 3 The installer configures Tripwire with customized

Policy files to monitor the critical system resources on each host

Based on the customized policy, Tripwire creates a baseline snapshot of each host in a known good state (after system build, configuration, and lockdown but before connecting to network)

After the baseline is established, regular integrity checks are scheduled to run on each host, to monitor the hosts

Dr. Xinwen Fu 12

CS@UML

How Tripwire works - 2 of 3 An integrity check compares the baseline

to the current state of the data to identify changes

Dr. Xinwen Fu 13

CS@UML

How Tripwire Works - 3 of 3From Tripwire integrity check results: Tripwire compares the current system

state to the baseline on those file-system and rules specified in the Policy, and reports a violation for any change it detects

A System Administrator examines the Tripwire report to evaluate changes to the system and investigate the cause of the change

Dr. Xinwen Fu 14

CS@UML

How Tripwire Works - 3 of 3 (Cont.) If changes are malicious or unauthorized after

investigation, take appropriate measures, such as restoring changed files and reporting the incident

If changes are authorized/approved after investigation, update the baseline database to include the changes so that Tripwire no longer detects them as violations The installer will furnish updated baseline database and

policy file for authorized software patches and revisions. The System Administrator would not need to update the baseline database.

Dr. Xinwen Fu 15

CS@UML

System Administrator's Tasks Scheduling Tripwire to run

Monitoring the integrity check

Examining the Tripwire Reports

Evaluating violations and investigating those violations

Dr. Xinwen Fu 16

CS@UML

System Administrator's Tasks Reporting any unauthorized change under site

incident response policy and procedures, and taking corrective measures if necessary No authorized changes should be detected -- Some

“false-positives” will occur if the site’s trusted personnel install patches/revisions.

Software patches/revisions should also be provided on “gold-disk” which are pre-tested and installed by the installer.

Updating the Tripwire policy and database files

Dr. Xinwen Fu 17

CS@UML

Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron

Dr. Xinwen Fu 18

CS@UML

Install tripwire-2.4.0.1 Install from source

Get the software from http://sourceforge.net/projects/tripwire

tar jxvf tripwire-2.4.0.1-src.tar.bz2 cd tripwire-2.4.0.1 ./configure make ln -s contrib install # to remove some bug make install Then use the default configuration and policy, and build

the site key and local key Install by yum

yum install tripwire

Dr. Xinwen Fu 19

CS@UML

Creating and Signing the Configuration File After yum on Fedora Core 6, there exist only

/etc/tripwire/twcfg.txt and /etc/tripwire/twpol.txt

Initializing Keys Get into tripwire folder: cd /etc/tripwire Site key: twadmin -m G -S ./site.key Local key: twadmin –m G -L ./$HOSTNAME-local.key

Sign files Sign configuration file

twadmin --create-cfgfile -S site.key twcfg.txt Sign policy file

twadmin --create-polfile -S site.key twpol.txt

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-tripwire-update-policy.html

http://linuxgazette.net/106/odonovan.html

Dr. Xinwen Fu 20

CS@UML

Creating and Signing the Policy File Do not leave the plain-text versions of the

configuration and policy files on your hard drive Move them onto a floppy disk Or encrypt them using a utility such as GPG Ensure that the permissions of the signed files are set

such that they are only readable/writable by root: chmod 0600 tw.cfg tw.pol

Sign policy file and configuration file every time you change them

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html

Dr. Xinwen Fu 21

CS@UML

Manually Running a Tripwire Integrity Check Initialize Tripwire database

tripwire --init Check filesystem integrity and generate

reports tripwire --check

Check the report of the tripwire twprint -m r --twrfile

/var/lib/tripwire/report/yourmachinename-date-time.twr | less

Dr. Xinwen Fu 22

CS@UML

Examining and Evaluating Violations

Valid violations due to normal user activities Run an update based on the report

(will be asked for local passphrase) tripwire --update --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr

Valid violations due to normal system activities Examine the policy file, twpol.txt, and make the

appropriate changes Update the database without a complete re-initialization.

Note: make sure your database reflects the current status of the system based on the old policytripwire --update-policy /usr/local/etc/twpol.txt

Dr. Xinwen Fu 23

CS@UML

Create a New Baseline Database Delete the baseline database

rm /var/lib/tripwire/hostname.twd Create a new database

tripwire --init

Dr. Xinwen Fu 24

CS@UML

1. Install Tripwire and customize the policy file.

Section 19.3 Customizing Tripwire.2. Initialize the Tripwire database.

Section 19.4 Initialize the Tripwire Database.

3. Run a Tripwire integrity check. Section 19.5 Running an Integrity

Check.4. Examine the Tripwire report file.

Section 19.6.1 Viewing Tripwire Reports.

5. If unauthorized integrity violations occur, take appropriate security measures.

Either replace the original files from backup copies, reinstall the program, or completely reinstall the operating system.

6. If the file alterations are valid, verify and update the Tripwire database file.

Edit Tripwire's database file to ignore those changes in subsequent reports. For more information, see Section 19.7 Updating the Tripwire Database.

7. If the policy file fails verification, update the Tripwire policy file.

Update the supplied policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update the Tripwire database. For more information, see Section 19.8 Updating the Tripwire Policy File.

Tripwire Big Picture

Dr. Xinwen Fu 25

CS@UML

Customize your Policy File Policy file

/etc/tripwire/twpol.txt Policy guide

/usr/share/doc/tripwire-2.4.1.1/policyguide.txt

Dr. Xinwen Fu 26

CS@UML

Outline Introduction to Tripwire Installation of Tripwire Scheduling Tripwire by Cron

Dr. Xinwen Fu 27

CS@UML

Run tripwire Checking Daily by Cron The cron daemon: crond

What time you want to run an application In the /etc directory you will probably find

some sub directories called 'cron.hourly', 'cron.daily', 'cron.weekly' and 'cron.monthly'

If you place a script into one of those directories it will be run either hourly, daily, weekly or monthly, depending on the name of the directory

http://www.unixgeeks.org/security/newbie/unix/cron-1.html

Dr. Xinwen Fu 28

CS@UML

More Flexible Cron /etc/crontab1. SHELL=/bin/bash2. PATH=/sbin:/bin:/usr/sbin:/usr/bin3. MAILTO=root4. HOME=/

5. # run-parts6. 01 * * * * root run-parts /etc/cron.hourly7. 02 4 * * * root run-parts /etc/cron.daily8. 22 4 * * 0 root run-parts /etc/cron.weekly9. 42 4 1 * * root run-parts /etc/cron.monthly

http://www.unixgeeks.org/security/newbie/unix/cron-1.html

Dr. Xinwen Fu 29

CS@UML

Flexible Cron - How to Run a Script

minute hour dom month dow user cmd minute what minute of the hour the command will run on, and

is between '0' and '59' hour what hour the command will run on, and is specified in

the 24 hour clock, values must be between 0 and 23 (0 is midnight)

dom the Day of Month, that you want the command run on, e.g. to run a command on the 19th of each month, the dom would be 19

month the month a specified command will run on, it may be specified numerically (0-12), or as the name of the month (e.g. May)

dow the Day of Week that you want a command to be run on, it can also be numeric (0-7) or as the name of the day (e.g. sun)

user the user who runs the command cmd This is the command that you want run. This field may

contain multiple words or spaces

Dr. Xinwen Fu 30

CS@UML

Examples of Running a Script If you don't wish to specify a value for a field, just

place a * in the field: means any Use the idea of Cross to explain a rule

minute hour dom month dow user cmd1. 01 * * * * root echo "This command is run at one min past every hour" 2. 17 8 * * * root echo "This command is run daily at 8:17 am" 3. 17 20 * * * root echo "This command is run daily at 8:17 pm" 4. 00 4 * * 0 root echo "This command is run at 4 am every Sunday" 5. * 4 * * Sun root echo "So is this" 6. 42 4 1 * * root echo "This command is run 4:42 am every 1st of the

month" 7. 01 * 19 07 * root echo "This command is run hourly on the 19th of July

Dr. Xinwen Fu 31

CS@UML

Network Time Protocol Get NTP package if not installed

yum install ntp NTP is a protocol designed to synchronize

the clocks of computers over a network NTP configuration file: /etc/ntp.conf

…… server 127.127.1.0 # local clock server 10.0.0.192 # add this server fudge 127.127.1.0 stratum 10 …….

Dr. Xinwen Fu 32

CS@UML

Using NTP Server to Synchronize Machines

1. Change File Permissions chown ntp:ntp /etc/ntp chown ntp:ntp /etc/ntp/*

2. To get NTP configured to start at boot chkconfig ntpd on

3. To start, stop and restart NTP after booting, follow these examples

service ntpd start service ntpd stop service ntpd restart

4. To test whether the NTP process is running pgrep ntpd

5. Determining If NTP Is Synchronized Properly ntpq -p

http://www.siliconvalleyccie.com/linux-hn/ntp.htm

Dr. Xinwen Fu 33

CS@UML

NTP Troubleshooting Wild time difference between local machine and

primary time server causes error (/var/log/messages)

Run the ntpdate -u command to force instant time synchronization with its NTP servers ntpdate is not a daemon Run: service ntpd stop Run ntpdate three times: ntpdate -u 192.168.1.100 Run: service ntpd restart

Dr. Xinwen Fu 34

CS@UML

References Open Source Tripwire, http://sourceforge.net/projects/tripwire Fedora Core tutorials, 2006,

http://www.unix-tutorials.com/tutorials.php?os=Fedora+Core Tripwire on your Fedora Box, April 15, 2005,

http://www.unix-tutorials.com/go.php?id=250 cogNiTioN, Newbie: Intro to cron, 30-Dec-99,

http://www.unixgeeks.org/security/newbie/unix/cron-1.html Trevor Warren, Intrusion Detection Systems: Part II - Installing

Tripwire, 2001-01-30, http://freeos.com/articles/3405/ Joey, Tripwire Setup Guide, September 19th, 2003,

http://www.linuxhelp.net/guides/tripwire Intrusion Detection with Tripwire,

http://www.akadia.com/services/tripwire.html The NTP Server, july 2005, http://www.siliconvalleyccie.com/linux-

hn/ntp.htm#_Toc91350036

Dr. Xinwen Fu 35

CS@UML

nmap - Network exploration tool and security scanner Scan large networks to determine

Which hosts are up What operating system the network unit uses What network services they are offering

Support a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan

Dr. Xinwen Fu 36

CS@UML

Live Demo: Network mapper – nmap Guess remote host OS

nmap –sS –O 10.0.0.192

Dr. Xinwen Fu 37

CS@UML

nmap Examples nmap -v scanme.nmap.org

This option scans all reserved TCP ports on the machine scanme.nmap.org

-v option enables verbose mode. nmap -sS -O scanme.nmap.org/24

-sS: Launches a stealth SYN scan against each machine that is up out of the 255 machines on class c network where scanme resides

-O: It also tries to determine what operating system is running on each host that is up and running.

This requires root privileges because of the SYN scan and OS detection.

Dr. Xinwen Fu 38

CS@UML

nmap Examples (Cont.) nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

198.116.0-255.1-127: Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the 198.116 class B address space.

-p 22,53,110,143,4564: This tests whether the systems run sshd, DNS, pop3d, imapd, or port 4564

-sV: For any of these ports found open, version detection is used to determine what application is running

Dr. Xinwen Fu 39

CS@UML

Notes Cygwin conflicts with openssh

Dr. Xinwen Fu 40

CS@UML

Assignment 5: Find Topology of IA Lab Your group machine root

password: forensicsforensics

InternetInternet

ialab.dsunix.net

Cisco Catalyst 2900 24 Switch

D-Link Hub

Cisco Catalyst 29XX 24 Switch

10.0.0.101 10.0.0.102

10.0.0.19210.0.0.55