1 / 22

Security SIG: Introduction to Tripwire

Security SIG: Introduction to Tripwire. Chris Harwood John Ives. What is Tripwire?. Monitors ‘important’ file and registry values and properties (like access times, flags, owner, etc) Enables Admins to detect files that are added, modified or deleted

Download Presentation

Security SIG: Introduction to Tripwire

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security SIG: Introduction to Tripwire Chris Harwood John Ives

  2. What is Tripwire? • Monitors ‘important’ file and registry values and properties (like access times, flags, owner, etc) • Enables Admins to detect files that are added, modified or deleted • Provides a history of what changes during patching • Two Components (for today’s discussion) • Tripwire for Servers (command line) • Tripwire Manager (GUI front end)

  3. What can run Tripwire? • Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1, 5.1A & 5.1B • FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3 • HP-UX 10.20, 11.0, 11i v1 & 11i v2 • IBM AIX 4.3.3, 5.1, 5.2 & 5.3 • Linux (kernel 2.2 and glibc 2.x or higher) • Red Hat Enterprise Linux 3 & 4 AS, WS & ES • Solaris (SPARC) 2.6, 7, 8, 9 & 10 • Windows NT 4.0, 2000, 2003 & XP Pro

  4. How do you get Tripwire? • Licensed for use by all UC campuses • Locally it is distributed via http://softdist.berkeley.edu/ • Fill out the form and fax in the appropriate paperwork • Download instructions are sent via email

  5. Tripwire For Servers • Command Line Utility • Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) • Can detect changes to 29 object properties and 21 Registry keys/values on windows and 21 object properties on UNIX • Can Notify of changes via syslog, email or SNMP • Can output results in XML or HTML

  6. Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams Object Properties - Windows

  7. Registry Key Objects Last write time Owner SID Group SID DACL SACL Security descriptor control Size of security descriptor for the key Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length for value name Maximum length of data for any value in the key Turns on event tracking for that object Registry Value Objects Type of value data Length of value data CRC-32 hash of value data MD5 hash of value data SHA hash of value data HAVAL hash of value data Registry Properties - Windows

  8. File permissions Inode number Number of links (inode reference count) User ID of owner Group ID of owner File ize Device number of the disk where the inode for the file is stored For device object only; number of the device to which the inode points Number of blocks allocated Modification timestamp Inode creation/modification timestamp File size (violated if file is not larger than its last recorded size) Access timestamp Object Event tracking Flags CRC-32 MD5 SHA HAVAL ACL settings Inode generation number Object Properties - UNIX

  9. Pass Phrases • Local Passphrase • Used to protect the Database and (optionally) report files • Site Passphrase • Used to protect the policy and configuration files • Manager Passphrase • Stores the local and site passwords of each server using triple-DES encryption with a 168 bit key length

  10. Demonstration Installing Tripwire For Servers on Windows

  11. Demonstration Tripwire For Servers Command Line Options and Default Policy

  12. Installation on Linux • Glibc must be installed • Up2date –u glibc or glibc-devel • Install the agent • Site key & local key • Mail method • SMTP for relay • Sendmail for localhost • SNMP set to no • IP address port 1169 • Firewall rules manager to server ( 1024-65535 to 1169) • Startup scripts • Start agent • Register in Tripwire Manager

  13. Demonstration Installing Tripwire for servers on Linux

  14. Tripwire Manager • GUI for managing (Policy, Schedule, etc) on Tripwire for Servers • Written in Java (supported on Solaris 7-9, Windows NT4-2003 and RedHat Linux 7-9 & Enterprise Linux 3 & 4 AS, WS, & ES) • Can manage multiple Tripwire for Servers Installations • Uses SSL to communicate with Tripwire for Servers (bi-directional authentication)

  15. Demonstration Installing Tripwire Manager on Windows

  16. Registering a server • Add Machine • Hostname • Group • Address • Port

  17. Demonstration Registering Server with Manager

  18. Demonstration Using Tripwire Manager to edit Policy, Settings and Schedule

  19. Initial Config • Edit config file • Event tracking • Mail no violation reports • Global email • Initialize the database (8 min) • Perform integrity check (10 min) • Update policy file • Don’t overwrite

  20. Post Integrity Check • View Report • Objects • UNIX • Windows • Update database • Update, don’t approve violations • Re-run integrity check • Continue until status is green

  21. Automation & Reporting • Configure schedules • Nightly • Full integrity check • Periodical • System configuration files • Other critical application files or directories • Text or HTML reports • Level 3 Concise • Text format • HTML reports can cause SMTP issues

  22. Questions and Answer

More Related