Security SIG: Introduction to Tripwire
description
Transcript of Security SIG: Introduction to Tripwire
Security SIG: Introduction to Tripwire
Chris Harwood
John Ives
What is Tripwire? Monitors ‘important’ file and registry values and
properties (like access times, flags, owner, etc) Enables Admins to detect files that are added,
modified or deleted Provides a history of what changes during patching Two Components (for today’s discussion)
Tripwire for Servers (command line) Tripwire Manager (GUI front end)
What can run Tripwire? Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1, 5.1A &
5.1B FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3 HP-UX 10.20, 11.0, 11i v1 & 11i v2 IBM AIX 4.3.3, 5.1, 5.2 & 5.3 Linux (kernel 2.2 and glibc 2.x or higher) Red Hat Enterprise Linux 3 & 4 AS, WS & ES Solaris (SPARC) 2.6, 7, 8, 9 & 10 Windows NT 4.0, 2000, 2003 & XP Pro
How do you get Tripwire? Licensed for use by all UC campuses Locally it is distributed via
http://softdist.berkeley.edu/ Fill out the form and fax in the appropriate
paperwork Download instructions are sent via email
Tripwire For Servers Command Line Utility Keeps encrypted database of File/Registry Attributes
(including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32)
Can detect changes to 29 object properties and 21 Registry keys/values on windows and 21 object properties on UNIX
Can Notify of changes via syslog, email or SNMP Can output results in XML or HTML
Object Properties - Windows Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID
NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data
streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data
streams
Registry Properties - Windows Registry Key Objects
Last write time Owner SID Group SID DACL SACL Security descriptor control Size of security descriptor for the key Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length for value name Maximum length of data for any value in
the key Turns on event tracking for that object
Registry Value Objects Type of value data Length of value data CRC-32 hash of value data MD5 hash of value data SHA hash of value data HAVAL hash of value data
Object Properties - UNIX File permissions Inode number Number of links (inode
reference count) User ID of owner Group ID of owner File ize Device number of the disk
where the inode for the file is stored
For device object only; number of the device to which the inode points
Number of blocks allocated Modification timestamp
Inode creation/modification timestamp
File size (violated if file is not larger than its last recorded size)
Access timestamp Object Event tracking Flags CRC-32 MD5 SHA HAVAL ACL settings Inode generation number
Pass Phrases Local Passphrase
Used to protect the Database and (optionally) report files
Site Passphrase Used to protect the policy and configuration files
Manager Passphrase Stores the local and site passwords of each server
using triple-DES encryption with a 168 bit key length
DemonstrationInstalling Tripwire For Servers on Windows
DemonstrationTripwire For Servers Command Line Options
and Default Policy
Installation on Linux Glibc must be installed
Up2date –u glibc or glibc-devel Install the agent Site key & local key Mail method
SMTP for relay Sendmail for localhost
SNMP set to no IP address port 1169
Firewall rules manager to server ( 1024-65535 to 1169) Startup scripts Start agent Register in Tripwire Manager
DemonstrationInstalling Tripwire for servers on Linux
Tripwire Manager GUI for managing (Policy, Schedule, etc) on
Tripwire for Servers Written in Java (supported on Solaris 7-9, Windows
NT4-2003 and RedHat Linux 7-9 & Enterprise Linux 3 & 4 AS, WS, & ES)
Can manage multiple Tripwire for Servers Installations
Uses SSL to communicate with Tripwire for Servers (bi-directional authentication)
DemonstrationInstalling Tripwire Manager on Windows
Registering a server Add Machine
Hostname Group Address Port
DemonstrationRegistering Server with Manager
DemonstrationUsing Tripwire Manager to edit Policy, Settings
and Schedule
Initial Config Edit config file
Event tracking Mail no violation reports Global email
Initialize the database (8 min) Perform integrity check (10 min) Update policy file
Don’t overwrite
Post Integrity Check View Report
Objects UNIX Windows
Update database Update, don’t approve violations
Re-run integrity check Continue until status is green
Automation & Reporting Configure schedules
Nightly Full integrity check
Periodical System configuration files Other critical application files or directories
Text or HTML reports Level 3 Concise Text format HTML reports can cause SMTP issues
Questions and Answer