UNIX Systems Security I Tools Module 5

1
UNIX Systems Security I ToolsModule 5

• Instructor
• Victor Hazlewood, CISSP
• victor_at_reference-systems.com

1Q06 UNIX Security Tools Victor Hazlewood
2
Module 5

• Host Intrusion Detection Systems
• Tool 10 syslog
• Tool 11 cfengine
• Tool 12 Demonstration of Tripwire

1Q06 UNIX Security Tools Victor Hazlewood
3
HIDS

• Host Intrusion Detection SystemsA HIDS monitors
  host and server logs and events for suspicious
  activity. Most HIDS are based on syslog
  (Unix/network) and event logs (Windows). In many
  cases these logs are centralized and analyzed for
  anomalies and known intrusion signatures.
  Analysis/use includes
• Known string signatures
• Heuristical profiling
• Log searching in incident situation

1Q06 UNIX Security Tools Victor Hazlewood
4
HIDS
device
host
Centralized syslog server
Automated program
1Q06 UNIX Security Tools Victor Hazlewood
5
Log files to consider

• syslog
• Web logs
• Firewall logs
• NIDS logs
• Database server logs (oracle, db2)

1Q06 UNIX Security Tools Victor Hazlewood
6
Tool 10 syslog

• (Covered in fundamentals course)
• Syslog built in with Unix
• /etc/syslog.conf
• How to configure for centralized syslog host

1Q06 UNIX Security Tools Victor Hazlewood
7
Tool 11 cfengine

• http//www.cfengine.org/

1Q06 UNIX Security Tools Victor Hazlewood
8
Tool 11 cfengine
Cfengine managed hosts
Cfengine Control host
nfs mounts read only
Cfengine control files cfagent.conf and master
file copies
1Q06 UNIX Security Tools Victor Hazlewood
9
Tool 11 cfengine

• Download from www.cfengine.org
• Gunzip and untar
• Run configure script
• Run make
• Run make installinstalls in /usr/local
• Check out the cfengine Tutorial
• /var/cfengine is default work area

1Q06 UNIX Security Tools Victor Hazlewood
10
Tool 11 cfengine

• Trying cfengine
• cfagent
• /var/cfengine/inputs/cfagent.conf
• Sections and classes in cfagent.confsee 2.1 in
  tutorial
• Action types see 2.2 in tutorial
• control section see 2.4 in tutorial

1Q06 UNIX Security Tools Victor Hazlewood
11
cfagent.conf example

• control
• actionsequence ( directories copy files
  links )
• common ( /var/cfengine/common/root )
• domain ( reference-systems.com )
• directories
• any
• /var/www m0755 o0 g0
• copy
• any
• (common)/etc/syslog.conf
  d/etc/syslog.conf m0600 o0 g0
• files
• /etc/passwd mode444 ownerroot actionfixall
  checksummd5
• /etc/shadow mode400 ownerroot groupadm
  actionfixall
• links
• any
• /usr/local/bin/hsi -gt!
  /usr/local/apps/hsi/bin/hsi

1Q06 UNIX Security Tools Victor Hazlewood
12
Tool 12 Tripwire

• http//www.tripwire.com/
• Public domain version available on sourceforge,
  but way out of date
• Commercial version has some features
• Management tool
• Default policy files
• Continued maintenance

1Q06 UNIX Security Tools Victor Hazlewood
13
Tool 12 Tripwire

• Tripwire for Servers tool
• Tripwire Manager
• Demonstration

1Q06 UNIX Security Tools Victor Hazlewood
14
Tool 12 Tripwire

• Tripwire slides
• Tripwire demonstration

1Q06 UNIX Security Tools Victor Hazlewood