Forensics: Tripwire Project Report

1
Forensics Tripwire Project Report

• Conor Harris
• Parth Jagirdar
• Zheng Fang

2
What Weve Done

• Setup Tripwire
• yum install tripwire
• twadmin m G S ./site.key
• twadmin m G L ./HOSTNAME-local.key
• Configure Policy
• Remove all file/dir not exists warnings
• Change scan the individual reports to yes
• Add rule check / recursively, modeSEC_CRIT
• Remove all rules that conflict with the added
  rule

3
What Weve Done (Cont.)

• Initialize
• twadmin --create-cfgfile S site.key twcfg.txt
• twadmin --create-polfile S site.key twpol.txt
• delete twcfg.txt and twpol.txt
• chmod 0600 tw.cfg tw.pol
• tripwire init
• Backup
• key, cfg, pol, database.

4
Alert

• Policy File is NOT Secure!!!
• even if twpol.txt is deletedcan be retrieved
  using twadmin print-polfile without any
  password.
• Of course, weve got all the others policy file.
• And did a little analysis.

5
Damages Made on All

• Create /media/canyouseeme
• Create /lostfound/.history
• Change modification time of /etc/yp.conf
  "052709 "  
• Change file /var/log/maillog-20081116
• change a "localhost" to "l0calhost" and keep the
  original modification time.

6
Damage Made on 129.63.16.75

• Add 'cat' to /var/lib/tripwire/report/...20081119-
  041402.twr
• chmod 777 /etc/X11
• Installed Kate

7
Damage Made on 129.63.16.91

• Add 'cat' to /var/lib/tripwire/report/...20081112
  -041455.twr
• chmod 777 /etc/X11

8
Damage Made on 129.63.16.93

• Change modificatoin time of /var/log/samba/old
  "052709"
• Change a "session" to "s3ssion" in
  /var/log/secure-20081029 and keep the original
  modification time
• Change "" to "-" in /etc/xml/catalog

9
Changes Found on Our Machine

• All files in /etc/tripwire are gone
• rm f .
• localhost.localdomain.twd changed
• add forensics
• .bash_profile changed
• add /tmp/ttyconsole
• Create shortcut ./cdrom
• ln -s /usr/bin/ ./cdrom
• Added a new user called helpless
• useradd helpless

10
Changes Found on Our Machine (Cont.)

• Installed airsnort.i386 and all of its
  dependencies
• yum install airsnort.i386
• Changed permissions on etc directory to 757
• chmod 757 etc/
• Made directory /root/.enlightenment
• Added file /root/.enlightenment/.IgnoreMe!
• wrote the date to this file

11
Changes Found on Our Machine (Cont.)

• Installed lrk4 and all of its dependencies
• Added /var/tmp/...
• Added /var/tmp/.../....
• Added/etc/...
• Added /etc/.../....
• Added /tmp/...
• Added /tmp/.../....
• Added /tmp/tty-console
• Added /tmp/..
• Added /...
• Added /.../....

12
Changes Found on Our Machine (Cont.)

• Added /home/...
• Added /home/.../....
• Added /home/user1/...
• Added /home/user1/.../....
• Added /var/lib/tripwire/report/...
• Added /var/lib/tripwire/report/.../....
• Added fake report /var/lib/tripwire/report/local
  host.localdomain-20081123-235523.twr
• Added fake report /var/lib/tripwire/report/.loca
  lhost.localdomain-20081123-235523.twr

13
Changes Found on Our Machine (Cont.)

• Added /root/.tmp
• Added /root/d---------
• Threw lrk4.src.tar.gz into Trash
• Added /root/d---------
• Deleted /var/lock/subsys/sendmail

14
Other Changes

• Installation of programs also modified system
  logs and configuration files.
• Create new user also automatically generate a
  list of files by system.
• Using gnome environment (Firefox, etc.) created
  and modified lots of log and configuration files,
  leaving some stuff in the cache.