220 likes | 331 Views
Security SIG: Introduction to Tripwire. Chris Harwood John Ives. What is Tripwire?. Monitors ‘important’ file and registry values and properties (like access times, flags, owner, etc) Enables Admins to detect files that are added, modified or deleted
E N D
Security SIG: Introduction to Tripwire Chris Harwood John Ives
What is Tripwire? • Monitors ‘important’ file and registry values and properties (like access times, flags, owner, etc) • Enables Admins to detect files that are added, modified or deleted • Provides a history of what changes during patching • Two Components (for today’s discussion) • Tripwire for Servers (command line) • Tripwire Manager (GUI front end)
What can run Tripwire? • Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1, 5.1A & 5.1B • FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3 • HP-UX 10.20, 11.0, 11i v1 & 11i v2 • IBM AIX 4.3.3, 5.1, 5.2 & 5.3 • Linux (kernel 2.2 and glibc 2.x or higher) • Red Hat Enterprise Linux 3 & 4 AS, WS & ES • Solaris (SPARC) 2.6, 7, 8, 9 & 10 • Windows NT 4.0, 2000, 2003 & XP Pro
How do you get Tripwire? • Licensed for use by all UC campuses • Locally it is distributed via http://softdist.berkeley.edu/ • Fill out the form and fax in the appropriate paperwork • Download instructions are sent via email
Tripwire For Servers • Command Line Utility • Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) • Can detect changes to 29 object properties and 21 Registry keys/values on windows and 21 object properties on UNIX • Can Notify of changes via syslog, email or SNMP • Can output results in XML or HTML
Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams Object Properties - Windows
Registry Key Objects Last write time Owner SID Group SID DACL SACL Security descriptor control Size of security descriptor for the key Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length for value name Maximum length of data for any value in the key Turns on event tracking for that object Registry Value Objects Type of value data Length of value data CRC-32 hash of value data MD5 hash of value data SHA hash of value data HAVAL hash of value data Registry Properties - Windows
File permissions Inode number Number of links (inode reference count) User ID of owner Group ID of owner File ize Device number of the disk where the inode for the file is stored For device object only; number of the device to which the inode points Number of blocks allocated Modification timestamp Inode creation/modification timestamp File size (violated if file is not larger than its last recorded size) Access timestamp Object Event tracking Flags CRC-32 MD5 SHA HAVAL ACL settings Inode generation number Object Properties - UNIX
Pass Phrases • Local Passphrase • Used to protect the Database and (optionally) report files • Site Passphrase • Used to protect the policy and configuration files • Manager Passphrase • Stores the local and site passwords of each server using triple-DES encryption with a 168 bit key length
Demonstration Installing Tripwire For Servers on Windows
Demonstration Tripwire For Servers Command Line Options and Default Policy
Installation on Linux • Glibc must be installed • Up2date –u glibc or glibc-devel • Install the agent • Site key & local key • Mail method • SMTP for relay • Sendmail for localhost • SNMP set to no • IP address port 1169 • Firewall rules manager to server ( 1024-65535 to 1169) • Startup scripts • Start agent • Register in Tripwire Manager
Demonstration Installing Tripwire for servers on Linux
Tripwire Manager • GUI for managing (Policy, Schedule, etc) on Tripwire for Servers • Written in Java (supported on Solaris 7-9, Windows NT4-2003 and RedHat Linux 7-9 & Enterprise Linux 3 & 4 AS, WS, & ES) • Can manage multiple Tripwire for Servers Installations • Uses SSL to communicate with Tripwire for Servers (bi-directional authentication)
Demonstration Installing Tripwire Manager on Windows
Registering a server • Add Machine • Hostname • Group • Address • Port
Demonstration Registering Server with Manager
Demonstration Using Tripwire Manager to edit Policy, Settings and Schedule
Initial Config • Edit config file • Event tracking • Mail no violation reports • Global email • Initialize the database (8 min) • Perform integrity check (10 min) • Update policy file • Don’t overwrite
Post Integrity Check • View Report • Objects • UNIX • Windows • Update database • Update, don’t approve violations • Re-run integrity check • Continue until status is green
Automation & Reporting • Configure schedules • Nightly • Full integrity check • Periodical • System configuration files • Other critical application files or directories • Text or HTML reports • Level 3 Concise • Text format • HTML reports can cause SMTP issues