Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang.

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

Mr C Johnston ICT Teacher

Operating System Customization

Installation and Deployment in Microsoft Dynamics CRM 4.0

POP QUIZ!!! What kind of software is Medisoft? Name ONE of the 4 things that you can do to data in Medisoft. What is the Medisoft Program Date? What key.

Git/Unix Lab March Version Control ●Keep track of changes to a project ●Serves as a backup ●Revert to previous version ●Work on the same files concurrently.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Computer & Network Forensics

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.

11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

Virtual Machine and UNIX. What is a VM? VM stands for Virtual Machine. It is a software emulation of hardware. By using a VM, you can have the same hardware.

Operating System & Application Files BACS 371 Computer Forensics.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

T RIP W IRE Karthik Mohanasundaram Wright State University.

1 Host – Based Intrusion Detection “Working of Tripwire”

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

OS and Application Files BACS 371 Computer Forensics.

Version Control. What is Version Control? Manages file sharing for Concurrent Development Keeps track of changes with Version Control SubVersion (SVN)

Hosting Control Panels Allows users to manage their various hosted services in single place.  Creating webspaces  Creating FTP accounts  Creating .

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Distributed Computing Systems Project 1 – Dumpster Diving Due: Tuesday, March 25 th.

علیرضا فراهانی استاد درس: جعفری نژاد مهر Version Control ▪Version control is a system that records changes to a file or set of files over time so.

8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

Samba Advanced System Administration Course James Lwali University computing Centre Ltd, University of Dar es salaam,

TEAM Basic TotalElectrostatic ManagementAwareness&

TxEIS Security A role-based solution October 2010.

CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.

Module 4 - File Security. Security Overview File Ownership Access to Files and Dircetories Changing File and Directory Ownership Changing File and Directory.

INTRODUCTION TO LINUX Jacob Chan. GNU/Linux Consists of Linux kernel, GNU utilities, and open source and commercial applications Works like Unix –Multi-user.

Performing Software Installation with Group Policy BAI516.

Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.

There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

1 FreeBSD Installation AFNOG X Cairo, Egypt May 2009 Hervey Allen.

McGraw-Hill/Irwin The Interactive Computing Series © 2002 The McGraw-Hill Companies, Inc. All rights reserved. Microsoft Access 2002 Using Access Tools.

Module 8 : Configuration II Jong S. Bok

Minimizing your vulnerabilities. Lets start with properly setting up your servers which includes… Hardening your servers Setting your file and folder.

CIS 193A – Lesson 6 Intrusion Detection. CIS 193A – Lesson 6 Focus Question What Linux utilities and third party software is there for detecting an intrusion?

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Accessing the Lab. Putty Available via links on course page Creates secure (SSH) command line session between your machine and SCS network Uses tunnelling.

Advanced Sendmail Part 1

Intro to Git presented by Brian K. Vagnini Hosted by.

The Saigon CTT Chapter 10 Managing Users. The Saigon CTT  Objectives  Define the requirements for user accounts  Explain group and group accounts 

© 2006 ITT Educational Services Inc. Linux Operating System :: Unit 3 :: Slide 1 Downloading and Installing Software yum pirut Bit Torrent rmp.

12 CVS Mauro Jaskelioff (originally by Gail Hopkins)

1 FreeBSD Installation AFNOG Chix 2011 Blantyre, Malawi 31 st Oct - 4 th Nov 2011 Dorcas Muthoni and Evelyn Namara.

Introduction to Git Yonglei Tao GVSU. Version Control Systems  Also known as Source Code Management systems  Increase your productivity by allowing.

Unix Environment Basics CSCI-1302 Lakshmish Ramaswamy.

 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.

Learning basic Unix command It 325 operating system.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Experiment No 4 Prepared by, Mr. Satish Pise. Objectives View the /etc/passwd file and describe its syntax. View the /etc/shadow file and describe its.

Unit 9 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/17/2016 Instructor: Williams Obinkyereh.

IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.

COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.

M.Sc. Juan Carlos Olivares Rojas

COP 4343 Unix System Administration

Linux file system "On a UNIX system, everything is a file;

Lesson Objectives Aims You should be able to:

Active Directory Administration

Ubuntu Working in Terminal

Lab 1 introduction, debrief

Lecture 13 RPM and its advantages.

AD RMS Back Up and Restore

January 26th, 2004 Class Meeting 2

Presentation transcript:

Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang

What We’ve Done Setup Tripwire ▫yum install tripwire ▫twadmin –m G –S./site.key ▫twadmin –m G –L./$HOSTNAME-local.key Configure Policy ▫Remove all “file/dir not exists” warnings ▫Change “scan the individual reports” to “yes” ▫Add rule: check ‘/’ recursively, mode=SEC_CRIT ▫Remove all rules that conflict with the added rule

What We’ve Done (Cont.) Initialize ▫twadmin --create-cfgfile –S site.key twcfg.txt ▫twadmin --create-polfile –S site.key twpol.txt ▫delete twcfg.txt and twpol.txt ▫chmod 0600 tw.cfg tw.pol ▫tripwire –init Backup ▫key, cfg, pol, database.

Alert Policy File is NOT Secure!!! ▫even if “twpol.txt” is deleted can be retrieved using “twadmin –print-polfile” without any password. Of course, we’ve got all the others’ policy file. And did a little analysis.

Damages Made on All Create /media/canyouseeme Create /lost+found/.history Change modification time of /etc/yp.conf "05:27:09 " Change file /var/log/maillog ▫change a "localhost" to "l0calhost" and keep the original modification time.

+Damage Made on Add 'cat' to /var/lib/tripwire/report/ twr chmod 777 /etc/X11 Installed Kate

+Damage Made on Add 'cat' to /var/lib/tripwire/report/ twr chmod 777 /etc/X11

+Damage Made on Change modificatoin time of /var/log/samba/old "05:27:09" Change a "session" to "s3ssion" in /var/log/secure and keep the original modification time Change "=" to "-" in /etc/xml/catalog

Changes Found on Our Machine All files in “/etc/tripwire” are gone ▫rm –f *.* “localhost.localdomain.twd” changed ▫add “forensics” “.bash_profile” changed ▫add “/tmp/ttyconsole&” Create shortcut./cdrom ▫ln -s /usr/bin/./cdrom Added a new user called “helpless” ▫useradd helpless

Changes Found on Our Machine (Cont.) Installed airsnort.i386 and all of its dependencies ▫yum install airsnort.i386 Changed permissions on etc directory to 757 ▫chmod 757 etc/ Made directory /root/.enlightenment Added file /root/.enlightenment/.IgnoreMe! ▫wrote the date to this file

Changes Found on Our Machine (Cont.) Installed lrk4 and all of its dependencies Added /var/tmp/... Added /var/tmp/.../.... Added/etc/... Added /etc/.../.... Added /tmp/... Added /tmp/.../.... Added /tmp/tty-console Added /tmp/.. Added /... Added /.../....

Changes Found on Our Machine (Cont.) Added: /home/... Added: /home/.../.... Added: /home/user1/... Added: /home/user1/.../.... Added: /var/lib/tripwire/report/... Added: /var/lib/tripwire/report/.../.... Added fake report: /var/lib/tripwire/report/localhost.localdomain twr Added fake report: /var/lib/tripwire/report/.localhost.localdomain twr

Changes Found on Our Machine (Cont.) Added: /root/.tmp Added: /root/d Threw “lrk4.src.tar.gz” into Trash Added: /root/d Deleted: /var/lock/subsys/sendmail

Other Changes Installation of programs also modified system logs and configuration files. Create new user also automatically generate a list of files by system. Using gnome environment (Firefox, etc.) created and modified lots of log and configuration files, leaving some stuff in the cache.