|
Editor's
Note - 03.08.02 |
|
 |
Click
to try it FREE for 30 days!
|
|
RedHat Linux, probably the most famous of the open source
operating systems, ousted Microsoft for Datamation's Network
and Systems Software category during their annual awards. Linux
is finally making real in-roads to the enterprise. Read more
here:
http://itmanagement.earthweb.com/cio/article/0,,11967_974831,00.html
Microsoft has released a *ton* of patches lately. For those
of you locking down Windows boxes, here is a link to the Technet
Security page: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Default.asp
And, speaking of Microsoft, it looks as though Judge Kollar-Kotelly
plans on taking her time before coming to any conclusions about
the infamous anti-trust case before her. The New York Times
has a nice summary of recent events: http://www.nytimes.com/2002/03/07/technology/07SOFT.html?todaysheadlines
|
|
|
Using Tripwire
|
|
 |
| Download
our white paper on the Risks and Rewards of implementing VoIP |
In our last issue we introduced one of the most popular intrusion detection systems available, Tripwire. If you have not read that article, you can find it here: http://www.securitypronews.com/2002/0226.html
As I mentioned previously, Tripwire is not a replacement for other security measures that you have taken, but rather a supplement to them. Tripwire is an intrusion detection system. Tripwire accomplishes this by keeping a database of checksums of files that are on your machine. When Tripwire finds a file whose checksum does not match the one in the Tripwire database, Tripwire knows that the file has been modified.
Because Tripwire is available for so many platforms, I am not going to try to discuss installing it (it is not difficult, just follow the instructions included with the download).
My discussion today will revolve around the GPLed (http://www.gnu.org/copyleft/copyleft.html) version of Tripwire, Tripwire for Linux. The official documentation for this version can be found here: http://sourceforge.net/project/showfiles.php?group_id=3130
Before you run Tripwire, it must be configured. You will only need to configure Tripwire once; after that you will be able to make changes through normal operation commands.
To begin, you will need to modify the twcfg.txt file with your favorite text editor. By default, Tripwire installs this file in /etc/tripwire/. This file will become tw.cfg, which is an encrypted version of the file.
Once you have made the encrypted version of the file, you will want to remove the plain text version from the machine. Ideally, you should keep this file and the text version of the policy file somewhere removed from the network
If, for whatever reason, the twcfg.txt file does not exist, you can create one by entering the following command:
#twadmin --print-cfgfile > myfile.txt
where myfile.txt can be whatever name you want the configuration file to be.
Once you have modified the configuration file to your liking, you will need to create the encrypted version of the file. This is done by entering the following command, substituting a real email address for user@domain.com:
#twadmin --test --email user@domain.com
You should now receive a small test message from Tripwire. If you did not, you may have some email issues to contend with; you may have to start SMTP or what have you.
The next thing you will want to do is to modify the policy file, twpol.txt, to your satisfaction. This file can also be found in /etc/tripwire. The default file may suit your needs, just make sure that all of the files that you want to be monitored are in that configuration file.
In the same way that we needed to create an encrypted version of the configuration file, we will need to create an encrypted version of the policy file. To do this simply run the following:
#twadmin --create-polfile policy.txt
where policy.txt is the text policy file that you just modified (twpol.txt by default).
That is it, you are now ready to initialize the database. I know I have mentioned this before, but I think it is important enough to mention again. You will only need to initialize the database once. If you need to make changes to the database (i.e. configuration and/or policy changes), there are regular commands that you can run to accomplish this.
To initialize the database, simply enter:
#tripwire --init
Now you can run a report at any time. You can also change configuration, policy, administrative passwords and/or key sets at any given time.
For instance, you can run an integrity check at any time like so:
#tripwire --check
which will print the results to the screen and make a binary copy of the check in the default location (wherever you set the path for REPORTFILE in the configuration file). There are also many options that can be used with reporting. For example, if you use the '--email-report' switch, all recipients listed in the policy file will receive a copy of the report.
Ideally, you would have your integrity checks scheduled. With most *nix's, you would probably set this up as a CRON job so that it would be fully automated. All that you would have to do is check out the email reports that you receive.
There are many other features of Tripwire that power users will
appreciate. Be sure to check out the official documentation
for suggestions for adding more functionality to Tripwire. Also,
included with the documentation is a real nice quick reference
card that makes administering Tripwire trivial.
|
 |
News Headlines
Get
Free Email Newsletters
|
|
|
|
