Shulou(Shulou.com)06/03 Report--

Today, I will talk to you about how to understand Tripwire applications, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

For the unix administrator, the security of the host system has always been a topic. On the one hand, the administrator strives to enhance the reliability of his system by updating patch and installing software and hardware firewalls, while on the other hand, the loopholes of unix operating system are always found and published, such as BUGTRAQ. From this point of view, it can be absolutely said that there are no secure hosts on the Internet. The potential possibility of any host on Internet being invaded is inescapable. Moreover, for intruders, the use of vulnerabilities to enter the system is often only the first step. If you want to get more, such as superuser passwords, database passwords, etc., you often need to make some efforts, the most convenient and effective is to change or Troy the files on the compromised host, such as placing your own listener. Replace some key files, modify and edit trusted files, set up suid files, etc.

Some administrators check the security of files through the commands included with unix, such as checking the timestamps of file generation, but such reliability is minimal. Experienced intruders can easily modify the file generation time. Interested administrators can try the following operations: # echo "+" > /. Rhosts this step to generate a .rhosts file to see its time. # ls-l / .rhosts-rw-r--r-- 1 root other 4 Jul 2 16:45 / .rhosts, let's see what happens if we do the following? # touch-r / bin/sh / .rhosts # ls-l / .rhosts-rw-r--r-- 1 root other 4 Apr 5 16:32 / .rhosts We see that the timestamp has changed. It becomes an "old" file, which is likely to escape the administrator's sight.

For example, the intruder replaced the su file, and every time the user tried to su, the Trojanized su file would read the password and record the password before handing over control to the real su program. The password was leaked in this way, although this is not what the administrator expected, but after all, the unix is too large and complex to find.

Tripwire is a classic tool to solve this problem. It is the most famous software tool for file system integrity checking under unix. The core technology of this software is to generate a digital signature for each file to be monitored and retain it. When the current digital signature of the file is not consistent with the retained digital signature, then the file must have been altered by now. For monitoring projects, the following instructions are provided in the configuration file of Tripwire:

Access permissions and file mode settings, including effective execution settings file access and inode number in the file system number of links user ID of the owner group ID of the group of users to which access may be granted size of the item date and time the item was last accessed, the last modification made to the item, and the creation date and time associated with the items inode

From the above, we can see that Tripwire has a wide range of management of files.

2: how Tripwire works

When Tripwire runs in database generation mode, it reads the specified files to be monitored according to a configuration file set by the administrator, generates a corresponding digital signature for each file, and saves these results in its own database. By default, MD5 and SNCFRN (Xerox's secure hash function) encryption are combined to generate the digital signature of the file. In addition, administrators can also use hash functions such as MD4,CRC32,SHA, but in fact, the reliability of using the above two hash functions is already quite high, and the combination of MD5 and sncfrn algorithms (especially sncfrn) consumes a lot of system resources, so you can make a choice according to the importance of files. When it is suspected that the system has been invaded, Tripwire can use the previously generated database file to do a digital signature comparison, if the file is replaced, it does not match the corresponding digital signature in the Tripwire database, then Tripwire will report that the corresponding file has been changed, and the administrator will understand that the system is not "clean".

It should be noted that the focus of the above security mechanism is on digital signatures in the database, and all work is meaningless if the database is unreliable. So after Tripwire generates the database, the security of this library file is extremely important. The more common practice is to keep the database files, Tripwire binary files, and configuration files separately on the "removable and locked" media, such as a floppy disk. After copying the above files to the floppy disk, close the write protection port and lock it into the safe. In addition to floppy disks, disposable media such as cd-r are also a good choice, so that even if the intruder gets the disk, there is nothing he can do. In addition to this method, it is also a good choice to use encryption tools such as PGP to digitally sign the above-mentioned key files. Of course, when the administrator himself makes changes to some files, Tripwire's database must be updated accordingly. Tripwire takes this into account. It has four working modes: database generation, integrity check, and database update. Interactive updates. When the administrator changes the file, you can run the database update mode to generate a new database file.

3: download Tripwire and prepare for installation

Tripwire supports the vast majority of Unix operating systems, and its installation requires a compiler environment, such as gcc,cc, and decompression tools such as gzip,gunzip. These tool administrators are available from the appropriate site and are not discussed here.

Tripwire is available from www.tripwire.com, and in the download section of its home page, you can see the Tripwire1.3 ASR version of the currently free download, which you can download.

4: install Tripwire

After unlocking the tar package of Tripwire, we can see the following directory structure. It is recommended to take a look at the README file under the root to have an overall understanding of Tripwire. Then we can install the software step by step.

Step 1: the matching host environment has the file Ported under the root of Tripwire, which is a description of the supported systems and related configuration files. The administrator first needs to open this file and find the description that matches his system. The test environment of this article is solaris2.6. Let's take a look at the relevant parts, vendor: Sun Microsystems. Inc. Os: SunOS os version: 5.x (Solaris 2.x) compiler: cc cflags:-O ldflags: libs: conf.h: conf-svr4.h tw.config: tw.Conf.sunos5 notes: in this description, pay particular attention to the lines corresponding to conf.h and tw.config, which need to be used in the configuration of the next few steps. It should be noted here that the corresponding files in these two places of each operating system are different.

Step 2: configure the monitoring target

Enter the include directory, edit the config.h file, and write the file name and path corresponding to the conf.h in the first step Ported into the # include section of the beginning of config.h. In this example, it is # include ".. / configs/conf-svr4.h". At the same time, note that there are settings such as Tripwire configuration file in the configh file, the placement path of the Tripwire database file and the file name of the generated database, and the administrator can set it according to his or her preference. After editing the config.h, you have to edit and modify the Tripwire configuration file located in the configs directory according to the local situation, that is, the tw.conf.sunos5 corresponding to the tw.config in the above Ported file. We know that the monitoring of files, directories, etc., is set here. Let's select part of this file paragraph by paragraph to take a look at: # # -: ignore the following atributes # +: do not ignore the following attributes # # p: permission and file mode bits a: access timestamp # I: inode number m: modification timestamp # n: number of links (ref count) c: inode creation timestamp # u: user id of owner 1: signature 1 # g: group id of owner 2: signature 2 # s: size of file pay attention to the above p It means that the administrator can combine the monitoring items of files and directory settings, and the first sign -, + sign indicates that these attributes are selected or ignored. Such as the following example: / var + pinugsm12-an it means to check all files under the directory / var, the monitoring project has file attributes, inode, number of links, group, owner, modification time, generation time, digital signature, etc., however, the access to files in this directory is not monitored, if the access is also monitored, normal user access will also be captured by Tripwire, which is not necessary. For convenience, Tripwire authors have made common combinations into templates, as follows: # # Templates: (default) R: [R] ead-only (+ pinugsm12-a) # L: [L] og file (+ pinug-sam12) # N: ignore [N] othing (+ pinusgsamc12) # E: ignore [E] verything (- pinusgsamc12) # tw.conf.sunos5 Add the files and directories that need to be monitored to the list and assign them the corresponding attributes. As follows: / R / .rhosts R # may not exist / .profile R # may not exist / etc/dfs/dfstab R / etc/hosts.equiv R / etc/inet/inetd.conf R / etc/inet/protocols R / etc/inet/services R / etc/init.d R / etc/motd L # / etc/named.boot R # may not exist / etc/opt R / etc/passwd L / etc/profile R

Step 3: compile

After completing the previous two steps, you can compile. Under the root of Tripwire, execute make, and the system will compile automatically. After the compilation is successful, you can execute make test. Tripwire will automatically check the compilation and working status. It will be tested segment by segment. We select a paragraph as follows: = test.Update.sh: DESCRIPTION This shell script exercises all the Tripwire integrity checking and database update functionalities. = test.update.sh: Setting up auxiliary scripts = test.update.sh: BEGIN = / src/tripwire-loosedir-c / tmp/twtest/tw.config-d / tmp/twtest/tw.db-I all = test.update.sh: testing GROWING (safe) files = test.update.sh: testing GROWING (unsafe) files = test.update.sh: testing ADDED files = test.update.sh: testing DELETED files = test .update.sh: testing CHANGED files = test.update.sh: testing input schemes = test.update.sh: tw.config from stdin = test.update.sh: database from stdin = = test.update.sh: testing complex UPDATE cases = = test.update.sh: changed ignore-mask (UPDATE file) = test.update.sh: changed ignore-mask (UPDATE entry) = test.update.sh: testing UPDATED files (7 cases) = = test.update.sh: Case 1: update: add new file = test.update.sh: case 2: update: delete file = test.update.sh: case 3: update: update file = test.update.sh: case 4: nonsense case (skipping) = test.update.sh: case 6: update: delete entry = test.update.sh: case 5: update: add entry = test.update.sh: case 7: update: update entry = test.update.sh: PASS = = We can see Tripwire tests the update function item by item, and finally PASS it. When all the test items of Tripwire are PASS, the OK is compiled.

Step 4: generate the database

Successfully compiling Tripwire, we are ready to start scanning the files that need to be monitored to generate the Tripwire database, under Tripwire's src directory: do the following. / tripwire-init, the system will scan and generate the corresponding database according to the settings in the tw.conf.sunos5 file. As mentioned above, the path to the database file is set in the second step configh. In this case, it is / var/tripwire, and we get the database file named tw.db_secu.unix.com. It is recommended that the Tripwire executable files, database files, configuration files COPY to the floppy disk and other places, put it in a safe place. When security authentication is needed in the future, it can be performed directly on the floppy disk.

Step 5: test

The database is generated, let's test it. First, we generate a goadd file under the root touch. Secondly, we change the .cshrc file under the root and add a few # comment numbers to it. Then let's run Tripwire to see how it works. / Tripwire-c. / tw.config.sunos5-d. / tw.db_secu.unix.com Tripwire (tm) ASR (Academic Source Release) 1.3.1 File Integrity Assessment Software (c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire Security Systems, Inc. All Rights Reserved . Use Restricted to Authorized Licensees . # Phase 1: Reading configuration file # Phase 2: Generating file list. / tripwire: /. Profile: No such file or directory. / tripwire: / kernel/unix: No such file or directory # Phase 3: Creating file information database # Phase 4: Searching for inconsistencies # Total files scanned: 4437 # Files added: 1 # Files deleted: 0 # Files changed: 1 # Total file violations: 2 # added:-rw-r--r-- root 0 Jul 3 18:45:31 2000 / goadd changed:-Rkashi Rkashi-root 669 Jul 3 18:46:15 2000 /. Cshrc # Phase 5: Generating observed/expected pairs for changed files # Attr Observed (what it is) Expected (what it should be) # = =. Cshrc st_size: 669 668 st_mtime: Mon Jul 3 18:46:15 2000 Mon Jul 3 09:00:41 2000 st_ctime: Mon Jul 3 18:46:15 2000 Mon Jul 3 09:00:41 2000 md5 (sig1): 3z9gKjlZGq5GbeWOxpYaF9 1Z7K0n3ZKAyuPpAZB1G8uq snefru (sig2): 1vCDeMR45lpRCChmDithiW 1oRYPpQ:oZA6hVx6Zi4.NG can see The operation of the system has gone through five steps: first, read the configuration file, and then generate a list of files set in the configuration file that need to be monitored but do not actually exist. The third part generates the file information base, and the fourth step reports the inspection. We saw that a total of 4437 files were scanned, of which one file was newly added and one file changed. It lists these two files below-the ones we tampered with! In the last step, Tripwire will list the changed file's current number of bytes, generation time, modification time, md5, snefru signature and records in the database, isn't it cool? what we are talking about above is the main function of Tripwire. Typing tripwire-h on the command line will introduce other parameters. Interested administrators may wish to give it a try. The Tripwire Product Line Tripwire HQ Connector Bundle The HQ Connector bundle is comprised of Tripwires award-winning file integrity software, Tripwire version 2.2.1, and a communications agent that allows the software engine to "talk" to the Tripwire HQ Manager. Tripwire provides support for multiple platforms, including Windows NT, Solaris, Linux, HP-UX, IBM-AIX and others. With the Tripwire HQ Connector bundle, you can unequivocally answer the question: is my data the same today as it was yesterday? This information will help you keep your system in optimal working order and manage any changes-malicious or inadvertent-giving you complete control over data integrity. Tripwire HQ Manager HQ Manager is a software console with a graphical user interface that allows you to control hundreds of installations of HQ Connector. Named HQ Manager because its designed to operate as your information integrity headquarters, this product provides you with the very best way to manage data integrity across an enterprise network from a single, centralized location. Tripwire 2.2.1 for Linux With all the same great features as Tripwire 2.2.1 for other operating systems, Tripwire for Linux is available as a free download (without the agent that communicates with HQ Manager). In support of the open source community, Tripwire plans to release an open source version of this product this fall. For more information and future announcements about the open source release, check out www.tripwire.org. Tripwire Academic Source Release 1.3.1 With only slight changes, the Tripwire Academic Source Release (ASR) version 1.3.1 is the same as the original Tripwire software that was developed in 1992 by Dr. Eugene Spafford and Tripwire CTO Gene Kim. Tripwire offers this version as a free download, but does not provide product support for it.

After reading the above, do you have any further understanding of how to understand Tripwire applications? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.