HostBased Intrusion Detection software TRIPWIRE

1
Host-Based Intrusion Detection softwareTRIPWIRE
MD5
2
Description

• The first objective of an attacker is to obtain
  access to your system. The second objective is to
  retain that access, even if you close the hole
  she entered. To accomplish this, an attacker will
  often install a RootKit
• Tripwire creates a database of advanced
  mathematical checksums (MD5) to take a snapshot
  of a systems file properties and contents.

3
Purpose

• To introduce you to the installation,
  configuration, and use of Tripwire as a
  host-based intrusion detection system

4
Principle and Pre-Study

• What is RootKit?
• How do you know if you can trust the information
  your system is giving you?

a collection of modified System Binaries that are
designed to hide the attackers activities on
your system.
5
Required Facilities

• Hardware
• PC or Workstation with UNIX-based OS
• Software
• Tripwire 2.3.1

6
Step (I) Install on FreeBSD

• FreeBSD

Enter the local passphrase
Make with FreeBSD port tree
Enter the site keyfile passphrase
Enter the site passphrase
Enter the site passphrase
Enter the local key file passphrase
The information of install configuration
Generating the database by the policy file
Wait a while for creating the database
Install complete
The site keyfile passphrase will need when
initial or modify the configuration file or the
policy file
The local keyfile passphrase will need when
initial or modify the tripwire database file. The
local key may also be used for signing integrity
check reports
Sign the Tripwire configuration file
Sign the Tripwire policy file
Accept the license agreement
7
Step (II) Test Tripwire
Add a user name is jared who have root access
right
compare the file system and the tripwire database
The output after check the file system
Tripwire detect that the file have been modified
8
Step (III) Scheduling function

• Using crontab to run Tripwire check every day
  as 1 a.m. and the output will be mailed to root
  at same time.
• Edit /etc/crontab with root and restart
  /usr/sbin/cron

9

The tripwire configure file
The tripwire policy file
10
Summary

• Using a database of calculate checksums, tripwire
  is capable of detecting when a critical system
  file is changed.
• The database made by tripwire should be secured
  in such a way that an attacker can not alter it.

11
Reference

• http//www.tripwire.org
• RFC 1321 - The MD5 Message-Digest Algorithm
• Man page of tripwire

12
Appendix install on Linux

• Select the tripwire rpm for each linux
  distribution and install it.
• rpm I tripwire-version.i386.rpm
• After complete the installation, create the site
  keyfile password and the local keyfile password
• sh /etc/tripwire/twinstall.sh

13

• Sign the Tripwire configuration file
• Sign the Tripwire policy file
• Install the default policy
• /usr/sbin/twadmin m P /etc/tripwire/twpol.txt
• Generate the initial checksum database
• /usr/sbin/tripwire m I
• Edit the default site policy file
• vi /etc/tripwire/twpol.txt

14
(No Transcript)