Security SIG: Tripwire

Download Report

Transcript Security SIG: Tripwire 

Security SIG:
Introduction to Tripwire
Chris Harwood
John Ives
What is Tripwire?




Monitors ‘important’ file and registry values and
properties (like access times, flags, owner, etc)
Enables Admins to detect files that are added,
modified or deleted
Provides a history of what changes during patching
Two Components (for today’s discussion)


Tripwire for Servers (command line)
Tripwire Manager (GUI front end)
What can run Tripwire?








Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1, 5.1A &
5.1B
FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3
HP-UX 10.20, 11.0, 11i v1 & 11i v2
IBM AIX 4.3.3, 5.1, 5.2 & 5.3
Linux (kernel 2.2 and glibc 2.x or higher)
Red Hat Enterprise Linux 3 & 4 AS, WS & ES
Solaris (SPARC) 2.6, 7, 8, 9 & 10
Windows NT 4.0, 2000, 2003 & XP Pro
How do you get Tripwire?




Licensed for use by all UC campuses
Locally it is distributed via
http://softdist.berkeley.edu/
Fill out the form and fax in the appropriate
paperwork
Download instructions are sent via email
Tripwire For Servers





Command Line Utility
Keeps encrypted database of File/Registry Attributes
(including 4 hashing algorithms – HAVAL, MD5,
SHA and CRC-32)
Can detect changes to 29 object properties and 21
Registry keys/values on windows and 21 object
properties on UNIX
Can Notify of changes via syslog, email or SNMP
Can output results in XML or HTML
Object Properties - Windows















Archive flag
Read-only flag
Hidden flag
Offline flag
Temporary flag
System flag
Directory flag
Last access time
Last write time
Create time
File size
Turns on event tracking for that object
MS-DOS 8.3 name
NTFS Compressed flag
NTFS Owner SID














NTFS Group SID
NTFS DACL
NTFS SACL
Security descriptor control
Size of security descriptor
CRC-32
MD5
SHA
HAVAL
Number of NTFS streams
CRC-32 hash of all alternative data
streams
MD5 hash of all alternative data streams
SHA hash of all alternative data streams
HAVAL hash of all alternative data
streams
Registry Properties - Windows

Registry Key Objects















Last write time
Owner SID
Group SID
DACL
SACL
Security descriptor control
Size of security descriptor for the key
Name of class
Number of subkeys
Maximum length of subkey name
Maximum length of classname
Number of values
Maximum length for value name
Maximum length of data for any value in
the key
Turns on event tracking for that object

Registry Value Objects






Type of value data
Length of value data
CRC-32 hash of value data
MD5 hash of value data
SHA hash of value data
HAVAL hash of value data
Object Properties - UNIX










File permissions
Inode number
Number of links (inode reference
count)
User ID of owner
Group ID of owner
File ize
Device number of the disk where
the inode for the file is stored
For device object only; number
of the device to which the inode
points
Number of blocks allocated
Modification timestamp











Inode creation/modification
timestamp
File size (violated if file is not
larger than its last recorded size)
Access timestamp
Object Event tracking
Flags
CRC-32
MD5
SHA
HAVAL
ACL settings
Inode generation number
Pass Phrases

Local Passphrase


Site Passphrase


Used to protect the Database and (optionally)
report files
Used to protect the policy and configuration files
Manager Passphrase

Stores the local and site passwords of each server
using triple-DES encryption with a 168 bit key
length
Demonstration
Installing Tripwire For Servers on Windows
Demonstration
Tripwire For Servers Command Line Options
and Default Policy
Installation on Linux

Glibc must be installed




Install the agent
Site key & local key
Mail method






SMTP for relay
Sendmail for localhost
SNMP set to no
IP address port 1169


Up2date –u glibc or glibc-devel
Firewall rules manager to server ( 1024-65535 to 1169)
Startup scripts
Start agent
Register in Tripwire Manager
Demonstration
Installing Tripwire for servers on Linux
Tripwire Manager




GUI for managing (Policy, Schedule, etc) on
Tripwire for Servers
Written in Java (supported on Solaris 7-9, Windows
NT4-2003 and RedHat Linux 7-9 & Enterprise
Linux 3 & 4 AS, WS, & ES)
Can manage multiple Tripwire for Servers
Installations
Uses SSL to communicate with Tripwire for Servers
(bi-directional authentication)
Demonstration
Installing Tripwire Manager on Windows
Registering a server

Add Machine




Hostname
Group
Address
Port
Demonstration
Registering Server with Manager
Demonstration
Using Tripwire Manager to edit Policy, Settings
and Schedule
Initial Config

Edit config file






Event tracking
Mail no violation reports
Global email
Initialize the database (8 min)
Perform integrity check (10 min)
Update policy file

Don’t overwrite
Post Integrity Check

View Report

Objects



Update database


UNIX
Windows
Update, don’t approve violations
Re-run integrity check

Continue until status is green
Automation & Reporting

Configure schedules

Nightly


Periodical



Full integrity check
System configuration files
Other critical application files or directories
Text or HTML reports



Level 3 Concise
Text format
HTML reports can cause SMTP issues
Questions and Answer