Selling an Idea or a Product

1
91.580.203 Computer Network Forensics
Xinwen Fu Tripwire Host Based Intrusion
Detection System (HIDS)
2
Outline

• Introduction to Tripwire
• Installation of Tripwire
• Scheduling Tripwire by Cron

3
Where is the HIDS on the Internet?
http//www.inode.gr/img/internet_connection_small.
jpg
4
Tripwire - Basic Functions

• Monitor system files to find when an intruder has
  made changes to those files for malicious intent
• Monitor the file-systems to find if any of the
  files have been compromised by taking a
  snapshot of the file system and comparing that
  snapshot to an existing baseline
• These comparisons are called Integrity checks
• Integrity checks detect changes in critical
  system components and Tripwire generates a report
  on any change(s) that are detected
• Tripwire does not, however, generate real-time
  alerts upon an intrusion
• It does not help with Kernel Level Module (KLM)
  Rootkits

5
Tripwire Flavors

• The Tripwire software is a System Integrity
  Verifier (SIV) to validate the system security
  posture, and to assist in Security Auditing
• Tripwire
• Comes in three flavors(1) Open Source Tripwire
  text-based logging and command line to use (2)
  Tripwire for Servers (3) Tripwire Enterprise
• Can be used in a straight Windows, straight Unix,
  or homogeneous network

6
Key Tripwire Files

• There are a number of files used for managing
  these components
• Configuration File
• Plaintext Configuration file /etc/tripwire/twcfg.
  txt
• Signed Configuration file /etc/tripwire/tw.cfg
• Policy File
• Plaintext policy file /etc/tripwire/twpol.txt
• Signed policy file /etc/tripwire/tw.pol
• Site Key file - /etc/tripwire/site.key
• Local Key file - /etc/tripwire/HOSTNAME.local.key
  
• Database File - /var/lib/tripwire/HOSTNAME.twd
• Report File - /var/lib/tripwire/HOSTNAME-date-tim
  e.twr

7
Key Tripwire Files

• Configuration file -- stores system-specific
  information that controls Tripwire operations.
  The Configuration file should NOT be changed
  except through a Configuration Management Process
• Policy file -- specifies how Tripwire software
  monitors the system. This file consists of a list
  of rules which specify system objects
  (directories and files) to monitor, and describes
  which changes to the objects should be reported
  and which ones can be ignored
• Database file -- provides a snapshot of each host
  which is created by rules in the policy file in a
  known secure state. It is used as a baseline
  file to compare against the current state of the
  host to determine if any change has occurred

8
Key Tripwire Files (Cont.)

• Report file -- records the changes detected
  during an integrity check that violate the rules
  in the Policy file
• Site Key File/Local Key file -- store public and
  private keys used to sign Tripwire files
  cryptographically prevent unauthorized
  modification
• Site key sign Tripwire software configuration
  and policy files.
• Local key signs Tripwire database files and may
  sign the Tripwire report files also
• To modify these files, you must provide the
  correct site or local passphrase/password. These
  passphrases must be kept in a safe place because
  if they are lost or forgotten, they can not be
  recovered

9
Tripwire Configuration and Mode of Operations

• The following items for Tripwire are Pre-set and
  configured by The installer
• Keys
• Policy and configuration
• A Tripwire baseline for each host
• Mode of Operations
• The System Administrator should schedule Tripwire
  to run during a low time of operations
  Tripwire utilizes system resources that may
  considerably slow down system performance
• The System Administrator should not make any
  changes to the file system on any host unless
  they are valid changes and the change is clearly
  understood

10
How Tripwire works
2. An integrity check compares the baseline to
the current state of the data to identify changes
tripwire
3.2. You examine changes and take appropriate
action. This may include restoring changed data
or updating the baseline
Tripwire Work-Flow Diagram
11
How Tripwire works - 1 of 3

• The installer configures Tripwire with customized
  Policy files to monitor the critical system
  resources on each host
• Based on the customized policy, Tripwire creates
  a baseline snapshot of each host in a known good
  state (after system build, configuration, and
  lockdown but before connecting to network)
• After the baseline is established, regular
  integrity checks are scheduled to run on each
  host, to monitor the hosts

12
How Tripwire works - 2 of 3

• An integrity check compares the baseline to the
  current state of the data to identify changes

13
How Tripwire Works - 3 of 3

• From Tripwire integrity check results
• Tripwire compares the current system state to the
  baseline on those file-system and rules specified
  in the Policy, and reports a violation for any
  change it detects
• A System Administrator examines the Tripwire
  report to evaluate changes to the system and
  investigate the cause of the change

14
How Tripwire Works - 3 of 3 (Cont.)

• If changes are malicious or unauthorized after
  investigation, take appropriate measures, such as
  restoring changed files and reporting the
  incident
• If changes are authorized/approved after
  investigation, update the baseline database to
  include the changes so that Tripwire no longer
  detects them as violations
• The installer will furnish updated baseline
  database and policy file for authorized software
  patches and revisions. The System Administrator
  would not need to update the baseline database.

15
System Administrator's Tasks

• Scheduling Tripwire to run
• Monitoring the integrity check
• Examining the Tripwire Reports
• Evaluating violations and investigating those
  violations

16
System Administrator's Tasks

• Reporting any unauthorized change under site
  incident response policy and procedures, and
  taking corrective measures if necessary
• No authorized changes should be detected -- Some
  false-positives will occur if the sites
  trusted personnel install patches/revisions.
• Software patches/revisions should also be
  provided on gold-disk which are pre-tested and
  installed by the installer.
• Updating the Tripwire policy and database files

17
Outline

• Introduction to Tripwire
• Installation of Tripwire
• Scheduling Tripwire by Cron

18
Install tripwire-2.4.0.1

• Install from source
• Get the software from http//sourceforge.net/proje
  cts/tripwire
• tar jxvf tripwire-2.4.0.1-src.tar.bz2
• cd tripwire-2.4.0.1
• ./configure
• make
• ln -s contrib install to remove some bug
• make install
• Then use the default configuration and policy,
  and build the site key and local key
• Install by yum
• yum install tripwire

19
Creating and Signing the Configuration File

• After yum on Fedora Core 6, there exist only
  /etc/tripwire/twcfg.txt and /etc/tripwire/twpol.tx
  t
• Initializing Keys
• Get into tripwire folder cd /etc/tripwire
• Site key twadmin -m G -S ./site.key
• Local key twadmin m G -L ./HOSTNAME-local.key
• Sign files
• Sign configuration filetwadmin --create-cfgfile
  -S site.key twcfg.txt
• Sign policy filetwadmin --create-polfile -S
  site.key twpol.txt

http//linuxgazette.net/106/odonovan.html
http//www.redhat.com/docs/manuals/linux/RHL-7.3-M
anual/ref-guide/s1-tripwire-update-policy.html
20
Creating and Signing the Policy File

• Do not leave the plain-text versions of the
  configuration and policy files on your hard drive
• Move them onto a floppy disk
• Or encrypt them using a utility such as GPG
• Ensure that the permissions of the signed files
  are set such that they are only readable/writable
  by root chmod 0600 tw.cfg tw.pol
• Sign policy file and configuration file every
  time you change them

http//www.redhat.com/docs/manuals/linux/RHL-9-Man
ual/ref-guide/ch-tripwire.html
21
Manually Running a Tripwire Integrity Check

• Initialize Tripwire database
• tripwire --init
• Check filesystem integrity and generate reports
• tripwire --check
• Check the report of the tripwire
• twprint -m r --twrfile /var/lib/tripwire/report/yo
  urmachinename-date-time.twr less

22
Examining and Evaluating Violations

• Valid violations due to normal user activities
• Run an update based on the report(will be asked
  for local passphrase) tripwire --update
  --twrfile /var/lib/tripwire/report/yourmachinename
  -date-time.twr
• Valid violations due to normal system activities
• Examine the policy file, twpol.txt, and make the
  appropriate changes
• Update the database without a complete
  re-initialization. Note make sure your database
  reflects the current status of the system based
  on the old policytripwire --update-policy
  /usr/local/etc/twpol.txt

23
Create a New Baseline Database

• Delete the baseline database
• rm /var/lib/tripwire/hostname.twd
• Create a new database
• tripwire --init

24
Tripwire Big Picture

• Install Tripwire and customize the policy file.
• Section 19.3 Customizing Tripwire.
• Initialize the Tripwire database.
• Section 19.4 Initialize the Tripwire Database.
• Run a Tripwire integrity check.
• Section 19.5 Running an Integrity Check.
• Examine the Tripwire report file.
• Section 19.6.1 Viewing Tripwire Reports.
• If unauthorized integrity violations occur, take
  appropriate security measures.
• Either replace the original files from backup
  copies, reinstall the program, or completely
  reinstall the operating system.
• If the file alterations are valid, verify and
  update the Tripwire database file.
• Edit Tripwire's database file to ignore those
  changes in subsequent reports. For more
  information, see Section 19.7 Updating the
  Tripwire Database.
• If the policy file fails verification, update the
  Tripwire policy file.
• Update the supplied policy file
  (/etc/tripwire/twpol.txt), regenerate a signed
  copy (/etc/tripwire/tw.pol), and update the
  Tripwire database. For more information, see
  Section 19.8 Updating the Tripwire Policy File.

25
Customize your Policy File

• Policy file
• /etc/tripwire/twpol.txt
• Policy guide
• /usr/share/doc/tripwire-2.4.1.1/policyguide.txt

26
Outline

• Introduction to Tripwire
• Installation of Tripwire
• Scheduling Tripwire by Cron

27
Run tripwire Checking Daily by Cron

• The cron daemon crond
• What time you want to run an application
• In the /etc directory you will probably find some
  sub directories called 'cron.hourly',
  'cron.daily', 'cron.weekly' and 'cron.monthly'
• If you place a script into one of those
  directories it will be run either hourly, daily,
  weekly or monthly, depending on the name of the
  directory

http//www.unixgeeks.org/security/newbie/unix/cron
-1.html
28
More Flexible Cron

• /etc/crontab
• SHELL/bin/bash
• PATH/sbin/bin/usr/sbin/usr/bin
• MAILTOroot
• HOME/
• run-parts
• 01 root run-parts /etc/cron.hourly
• 02 4 root run-parts /etc/cron.daily
• 22 4 0 root run-parts /etc/cron.weekly
• 42 4 1 root run-parts /etc/cron.monthly

http//www.unixgeeks.org/security/newbie/unix/cron
-1.html
29
Flexible Cron - How to Run a Script

• minute hour dom month dow user cmd
• minute what minute of the hour the command will
  run on, and is between '0' and '59'
• hour what hour the command will run on, and is
  specified in the 24 hour clock, values must be
  between 0 and 23 (0 is midnight)
• dom the Day of Month, that you want the command
  run on, e.g. to run a command on the 19th of each
  month, the dom would be 19
• month the month a specified command will run on,
  it may be specified numerically (0-12), or as the
  name of the month (e.g. May)
• dow the Day of Week that you want a command to be
  run on, it can also be numeric (0-7) or as the
  name of the day (e.g. sun)
• user the user who runs the command
• cmd This is the command that you want run. This
  field may contain multiple words or spaces

30
Examples of Running a Script

• If you don't wish to specify a value for a field,
  just place a in the field means any
• Use the idea of Cross to explain a rule
• minute hour dom month dow user cmd
• 01 root echo "This command is run at one
  min past every hour"
• 17 8 root echo "This command is run daily
  at 817 am"
• 17 20 root echo "This command is run daily
  at 817 pm"
• 00 4 0 root echo "This command is run at 4 am
  every Sunday"
• 4 Sun root echo "So is this"
• 42 4 1 root echo "This command is run 442 am
  every 1st of the month"
• 01 19 07 root echo "This command is run
  hourly on the 19th of July

31
Network Time Protocol

• Get NTP package if not installed
• yum install ntp
• NTP is a protocol designed to synchronize the
  clocks of computers over a network
• NTP configuration file /etc/ntp.conf
• server 127.127.1.0 local clock
• server 10.0.0.192 add this server
• fudge 127.127.1.0 stratum 10
• .

32
Using NTP Server to Synchronize Machines

• Change File Permissions
• chown ntpntp /etc/ntp
• chown ntpntp /etc/ntp/
• To get NTP configured to start at boot
• chkconfig ntpd on
• To start, stop and restart NTP after booting,
  follow these examples
• service ntpd start
• service ntpd stop
• service ntpd restart
• To test whether the NTP process is running
• pgrep ntpd
• Determining If NTP Is Synchronized Properly
• ntpq -p

http//www.siliconvalleyccie.com/linux-hn/ntp.htm
33
NTP Troubleshooting

• Wild time difference between local machine and
  primary time server causes error
  (/var/log/messages)
• Run the ntpdate -u command to force instant time
  synchronization with its NTP servers
• ntpdate is not a daemon
• Run service ntpd stop
• Run ntpdate three times ntpdate -u 192.168.1.100
  
• Run service ntpd restart

34
References

• Open Source Tripwire, http//sourceforge.net/proje
  cts/tripwire
• Fedora Core tutorials, 2006, http//www.unix-tutor
  ials.com/tutorials.php?osFedoraCore
• Tripwire on your Fedora Box, April 15, 2005,
  http//www.unix-tutorials.com/go.php?id250
• cogNiTioN, Newbie Intro to cron, 30-Dec-99,
  http//www.unixgeeks.org/security/newbie/unix/cron
  -1.html
• Trevor Warren, Intrusion Detection Systems Part
  II - Installing Tripwire, 2001-01-30,
  http//freeos.com/articles/3405/
• Joey, Tripwire Setup Guide, September 19th, 2003,
  http//www.linuxhelp.net/guides/tripwire
• Intrusion Detection with Tripwire,
  http//www.akadia.com/services/tripwire.html
• The NTP Server, july 2005, http//www.siliconvalle
  yccie.com/linux-hn/ntp.htm_Toc91350036

35
nmap - Network exploration tool and security
scanner

• Scan large networks to determine
• Which hosts are up
• What operating system the network unit uses
• What network services they are offering
• Support a large number of scanning techniques
  such as UDP, TCP connect(), TCP SYN (half open),
  ftp proxy (bounce attack), ICMP (ping sweep),
  FIN, ACK sweep, Xmas Tree, SYN sweep, IP
  Protocol, and Null scan

36
Live Demo Network mapper nmap

• Guess remote host OS
• nmap sS O 10.0.0.192

37
nmap Examples

• nmap -v scanme.nmap.org
• This option scans all reserved TCP ports on the
  machine scanme.nmap.org
• -v option enables verbose mode.
• nmap -sS -O scanme.nmap.org/24
• -sS Launches a stealth SYN scan against each
  machine that is up out of the 255 machines on
  class c network where scanme resides
• -O It also tries to determine what operating
  system is running on each host that is up and
  running.
• This requires root privileges because of the SYN
  scan and OS detection.

38
nmap Examples (Cont.)

• nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
  
• 198.116.0-255.1-127 Launches host enumeration
  and a TCP scan at the first half of each of the
  255 possible 8 bit subnets in the 198.116 class B
  address space.
• -p 22,53,110,143,4564 This tests whether the
  systems run sshd, DNS, pop3d, imapd, or port 4564
• -sV For any of these ports found open, version
  detection is used to determine what application
  is running

39
Notes

• Cygwin conflicts with openssh

40
Assignment 5 Find Topology of IA Lab

• Your group machine root password forensics

Internet
Cisco Catalyst 29XX 24 Switch
ialab.dsunix.net
10.0.0.192
10.0.0.55
D-Link Hub
Cisco Catalyst 2900 24 Switch
10.0.0.101
10.0.0.102