1 / 11

CIS 193A – Lesson 6

CIS 193A – Lesson 6. Intrusion Detection. Focus Question. What Linux utilities and third party software is there for detecting an intrusion? What are their pros and cons?. Integrity Checking Linux Commands.

yaakov
Download Presentation

CIS 193A – Lesson 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 193A – Lesson 6 Intrusion Detection

  2. Focus Question What Linux utilities and third party software is there for detecting an intrusion? What are their pros and cons?

  3. Integrity CheckingLinux Commands • rsync – designed to synchronize a local file hierarchy with a similar remote hierarchy. • rpm – has a –V verify option to verify all files in the package specified, (-a all packages). • md5sum – computes a unique hash which together with the find and diff commands can be used to check the integrity of files. • tripwire –manages an integrity database based upon a written policy.

  4. Tripwire

  5. Install Tripwire and customize the policy file • rpm –qlp tripwire-*.rpm | more • rpm –hiv tripwire-*.rpm • cd /etc/tripwire • twcfg.txt: LOOSEDIRECTORYCHECKING=true • twpol.txt: add emailto: statements and customize to your files • tripwire-setup-keyfilesChoose your passphrases as you sign your files.

  6. Initialize the Tripwire database • tripwire –-init 2> missingfiles • grep Filename missingfiles | ./fix twpol.txt#download fix shellscript from opus. • twadmin –-create-polfile \ -–site-keyfile site.key twpol.txt • tripwire –-init • rm *.txt • Database file wil now be in /var/lib/tripwire with the name $HOSTNAME.twd

  7. Run a Tripwire integrity check • tripwire –-check • This will generate a report to both stdout and to the directory: /var/lib/tripwire/report with a .twr extension. • The sending of mail messages can be checked with:tripwire –-test –-email root

  8. Examine the Tripwire report file • twprint –-print-report –-twrfile \ filename.twr twprint can also print out a report of the database itself: • twprint –-print-dbfile –-dbfile \filename.twd

  9. Update the Tripwire database • tripwire –-update –-twrfile \latest-report-file.twr There is an update-policy mode as well for updating the twpol.txt file.

  10. Review

  11. Focus Question What Linux utilities and third-party software is there for detecting an intrusion? And what are their pros and cons? Linux has individual utilities such as md5sum for checking the integrity of files. The RPM utility checks for any changes to files installed via an rpm package. The rsync command compares file systems between two different machines. Tripwire is open source software that securely stores integrity information in a database and notifies the system administrator when any files have been altered according to a pre-specified policy.

More Related