CIS 193A – Lesson 6 Intrusion Detection
CIS 193A – Lesson 6 Focus Question What Linux utilities and third party software is there for detecting an intrusion? What are their pros and cons?
CIS 193A – Lesson 6 Integrity Checking Linux Commands rsync – designed to synchronize a local file hierarchy with a similar remote hierarchy. rpm – has a –V verify option to verify all files in the package specified, (-a all packages). md5sum – computes a unique hash which together with the find and diff commands can be used to check the integrity of files. tripwire – manages an integrity database based upon a written policy.
CIS 193A – Lesson 6 Tripwire
CIS 193A – Lesson 6 Install Tripwire and customize the policy file rpm –qlp tripwire-*.rpm | more rpm –hiv tripwire-*.rpm cd /etc/tripwire twcfg.txt: LOOSEDIRECTORYCHECKING=true twpol.txt: add to: statements and customize to your files tripwire-setup-keyfiles Choose your passphrases as you sign your files.
CIS 193A – Lesson 6 Initialize the Tripwire database tripwire –-init 2> missingfiles grep Filename missingfiles |./fix twpol.txt #download fix shellscript from opus. twadmin –-create-polfile \ -–site-keyfile site.key twpol.txt tripwire –-init rm *.txt Database file wil now be in /var/lib/tripwire with the name $HOSTNAME.twd
CIS 193A – Lesson 6 Run a Tripwire integrity check tripwire –-check This will generate a report to both stdout and to the directory: /var/lib/tripwire/report with a.twr extension. The sending of mail messages can be checked with: tripwire –-test –- root
CIS 193A – Lesson 6 Examine the Tripwire report file twprint –-print-report –-twrfile \ filename.twr twprint can also print out a report of the database itself: twprint –-print-dbfile –-dbfile \ filename.twd
CIS 193A – Lesson 6 Update the Tripwire database tripwire –-update –-twrfile \ latest-report-file.twr There is an update-policy mode as well for updating the twpol.txt file.
CIS 193A – Lesson 6 Review
CIS 193A – Lesson 6 Focus Question What Linux utilities and third-party software is there for detecting an intrusion? And what are their pros and cons? Linux has individual utilities such as md5sum for checking the integrity of files. The RPM utility checks for any changes to files installed via an rpm package. The rsync command compares file systems between two different machines. Tripwire is open source software that securely stores integrity information in a database and notifies the system administrator when any files have been altered according to a pre-specified policy.