Security SIG: Tripwire
Download
Report
Transcript Security SIG: Tripwire
Security SIG:
Introduction to Tripwire
Chris Harwood
John Ives
What is Tripwire?
Monitors ‘important’ file and registry values and
properties (like access times, flags, owner, etc)
Enables Admins to detect files that are added,
modified or deleted
Provides a history of what changes during patching
Two Components (for today’s discussion)
Tripwire for Servers (command line)
Tripwire Manager (GUI front end)
What can run Tripwire?
Compaq Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1, 5.1A &
5.1B
FreeBSD 4.5, 4.6, 4.7, 4.10 & 5.3
HP-UX 10.20, 11.0, 11i v1 & 11i v2
IBM AIX 4.3.3, 5.1, 5.2 & 5.3
Linux (kernel 2.2 and glibc 2.x or higher)
Red Hat Enterprise Linux 3 & 4 AS, WS & ES
Solaris (SPARC) 2.6, 7, 8, 9 & 10
Windows NT 4.0, 2000, 2003 & XP Pro
How do you get Tripwire?
Licensed for use by all UC campuses
Locally it is distributed via
http://softdist.berkeley.edu/
Fill out the form and fax in the appropriate
paperwork
Download instructions are sent via email
Tripwire For Servers
Command Line Utility
Keeps encrypted database of File/Registry Attributes
(including 4 hashing algorithms – HAVAL, MD5,
SHA and CRC-32)
Can detect changes to 29 object properties and 21
Registry keys/values on windows and 21 object
properties on UNIX
Can Notify of changes via syslog, email or SNMP
Can output results in XML or HTML
Object Properties - Windows
Archive flag
Read-only flag
Hidden flag
Offline flag
Temporary flag
System flag
Directory flag
Last access time
Last write time
Create time
File size
Turns on event tracking for that object
MS-DOS 8.3 name
NTFS Compressed flag
NTFS Owner SID
NTFS Group SID
NTFS DACL
NTFS SACL
Security descriptor control
Size of security descriptor
CRC-32
MD5
SHA
HAVAL
Number of NTFS streams
CRC-32 hash of all alternative data
streams
MD5 hash of all alternative data streams
SHA hash of all alternative data streams
HAVAL hash of all alternative data
streams
Registry Properties - Windows
Registry Key Objects
Last write time
Owner SID
Group SID
DACL
SACL
Security descriptor control
Size of security descriptor for the key
Name of class
Number of subkeys
Maximum length of subkey name
Maximum length of classname
Number of values
Maximum length for value name
Maximum length of data for any value in
the key
Turns on event tracking for that object
Registry Value Objects
Type of value data
Length of value data
CRC-32 hash of value data
MD5 hash of value data
SHA hash of value data
HAVAL hash of value data
Object Properties - UNIX
File permissions
Inode number
Number of links (inode reference
count)
User ID of owner
Group ID of owner
File ize
Device number of the disk where
the inode for the file is stored
For device object only; number
of the device to which the inode
points
Number of blocks allocated
Modification timestamp
Inode creation/modification
timestamp
File size (violated if file is not
larger than its last recorded size)
Access timestamp
Object Event tracking
Flags
CRC-32
MD5
SHA
HAVAL
ACL settings
Inode generation number
Pass Phrases
Local Passphrase
Site Passphrase
Used to protect the Database and (optionally)
report files
Used to protect the policy and configuration files
Manager Passphrase
Stores the local and site passwords of each server
using triple-DES encryption with a 168 bit key
length
Demonstration
Installing Tripwire For Servers on Windows
Demonstration
Tripwire For Servers Command Line Options
and Default Policy
Installation on Linux
Glibc must be installed
Install the agent
Site key & local key
Mail method
SMTP for relay
Sendmail for localhost
SNMP set to no
IP address port 1169
Up2date –u glibc or glibc-devel
Firewall rules manager to server ( 1024-65535 to 1169)
Startup scripts
Start agent
Register in Tripwire Manager
Demonstration
Installing Tripwire for servers on Linux
Tripwire Manager
GUI for managing (Policy, Schedule, etc) on
Tripwire for Servers
Written in Java (supported on Solaris 7-9, Windows
NT4-2003 and RedHat Linux 7-9 & Enterprise
Linux 3 & 4 AS, WS, & ES)
Can manage multiple Tripwire for Servers
Installations
Uses SSL to communicate with Tripwire for Servers
(bi-directional authentication)
Demonstration
Installing Tripwire Manager on Windows
Registering a server
Add Machine
Hostname
Group
Address
Port
Demonstration
Registering Server with Manager
Demonstration
Using Tripwire Manager to edit Policy, Settings
and Schedule
Initial Config
Edit config file
Event tracking
Mail no violation reports
Global email
Initialize the database (8 min)
Perform integrity check (10 min)
Update policy file
Don’t overwrite
Post Integrity Check
View Report
Objects
Update database
UNIX
Windows
Update, don’t approve violations
Re-run integrity check
Continue until status is green
Automation & Reporting
Configure schedules
Nightly
Periodical
Full integrity check
System configuration files
Other critical application files or directories
Text or HTML reports
Level 3 Concise
Text format
HTML reports can cause SMTP issues
Questions and Answer