For UNIX administrators, the security of the host system has always been a topic. On the one hand, the administrator is working hard by updating Patch, installing software and hardware firewalls, and the loopholes of the UNIX operating system are always constant. Discovered and published, such as the safety list such as BugTraq, which can be absolute from this angle, there is no secure host on the Internet. Any host of the host is invisible, and it is often the first step in using the vulnerability to enter the system. If you want more, if you want to get more, such as superuser passwords, The password of the database, the like, often needs to work hard, and the most convenient is also the most effective is to change the files on the host of Troji, such as placing your own listener, replacing some key files, modify the editing credible file, setting SUID file, etc. Some administrator's own commands have inspected the security of the file, such as checking the timestamp generated by the file, but this reliability is minimal, experienced intruders can easily modify the file generation time, interested administrators You can try the following: # echo " "> /.rhosts Generate a .rhosts file to see its time. # ls -l /.rhosts -rw-r - r - 1 root Other 4 Jul 2 16:45 /.rhosts is good, what will we do? # Touch -R / bin / sh /.rhosts #ls -l /.rhosts -rw-r - r - 1 root Other 4 APR 5 16:32 /.rhosts We see that the timestamp has changed. It turns into a "old" file, which is likely to escape the administrator's look. For example, the intruder replaces the SU file, and this Troji SU file will read the password and record the password to the true SU program, pass the control. The way is leaked, although this is not the administrator expect, but after all, UNIX is more complicated, and it is difficult to find it. TripWire is a classic tool to solve this problem. It is a software tool for the most famous UNIX system integrity check. This software adopts the technical core is to generate a digital signature for each file to be monitored, keeping down. When the current digital signature is inconsistent with the reserved digital signature, then this file must be changed. Specific to the monitoring item, there Tripwire configuration file follows the instructions to: access permissions and file mode settings, including effective execution settings inode number in the file system number of links user ID of the owner group ID of the group of users to which access may be granted size of the item date and time the item was last accessed, the last modification made to the item, and the creation date and time associated with the items inode on the, we can see the face of the document management Tripwire is Very wide.
2: Tripwire Working principle When TripWire is running in the database generation mode, you will read the file specified to monitor according to a configuration file set by the administrator. Generate the corresponding digital signature for each file, and save these results in yourself. In the database, in the default, MD5 and SNCFRN (Xerox's security hash function) encryption means are combined with digital signatures that generate files. In addition, the administrator can also use a hash function such as MD4, CRC32, SHA, but in fact, the reliability of the above two hash functions is quite high, and two algorithms of MD5 and SNCFRN (especially SNCFRN) ) The cost of system resources has been large, so they can make hosted according to the importance of the document during use. When the system is invaded, you can make a digital signature comparison by TripWire, if the file is replaced, if the file is replaced, the corresponding digital signature within the TripWire database does not match, and TripWire will report the corresponding file being faster. The administrator will understand that the system is not "clean". One point to note that the focus of the above security mechanism is the digital signature in the database. If the database is unreliable, all work is lost. So after the TripWire generates the database, the security of this library file is extremely important. The more common practice is to reserve the database file, Tripwire binary, and the configuration file separately reserve the quality of "can lock", such as floppy disk, copy the above file to the floppy disk, turn off the write protection port, lock to the safe in. In addition to the floppy disk, disposable media, such as CD-R is also a good choice, so that even if the invasive gets the disc. In addition to this approach, encryption tools such as PGP are also a good choice for digital signatures of the above key files. Of course, when the administrator is more moving to some files, Tripwire's database must need to be updated. TripWire takes this, it has four working modes: database generation, integrity check, database update. Interactive update. When an administrator is more transferred, run the database update mode to generate a new database file. 3: Download TripWire, Preparation before installation Tripwire supports the vast majority of UNIX operating systems, and its installation requires compilation environment, such as GCC, CC, etc., also need Gzip, Gunzip and other decompression tools. These tool administrators can get from the appropriate site, not discussed here. Tripwire can be obtained from www.tripwire.com, to its homepage, you can see the current free Download Tripwire1.3 ASR version, download is. 4: After installing Tripwire Tripwire, we can see the following directory structure, it is recommended to look at the Root ReadMe file to have a whole for TripWire. Subsequently, we can install this software step by step.
Step 1: Match the host environment in the root of Tripwire, there is a ported file, which is a description of the supported system and related profiles. The administrator needs to open this file, find the description of the system, this article test environment Solaris2.6, we intercept relevant part to see, vendor: Sun Microsystems, Inc. OS: Sunos OS Version: 5.x (Solaris 2.x) Compiler: cc cflags: -o ldflags: Libs: conf.h: Conf-svr4.h tw.config: tw.conf.sunos5 Notes: In this paragraph, especially note that conf.h and tw.config correspond to rows, in the next steps, they need to use them. Corresponding files. It should be noted here that the files corresponding to each operating system are different. Step 2: Configure the monitoring target to enter the incrude directory, edit the config.h file, write the corresponding file name and path corresponding to conf.h in the first step port to config.h Start #include section, this example is #include ". ./configs/conf-svr4.h "At the same time, it is that there is a TripWire profile, the TripWire database file placement path, and the file name of the generated database, the administrator can be edited according to personal preferences. After config.h, you have to modify the Tripwire configuration file located in the configs directory according to this unit, which is Tw.conf.sunos5 corresponding to Tw.config in the toped file. We know that the monitoring of files, directories, etc. Set here. As part of this section of this file to see: # # -: ignore the folloading atributes # : do not ignore the following attributes # p: permission and file mode bits a: access timestamp # i: inode number m: MODIFICATION TimeStamp # N: NUMBER OF LINKS (Ref Count) C: Inode Creation TimeStamp # u: User ID Owner 1: Signature 1 # g: Group ID of Owner 2: Signature 2 # s: size of file Note the above P, I, N, U, G, S, A, C, 1, 2, etc. indicate that the monitoring items that can be set to files, directory settings, the administrator can use, the foremost -, mark indicate or ignore these properties.
Such as the following example: / var pinusm12-a indicates all files checking the directory / var, the monitoring items have file properties, inode, links, group, home, modification time, generation time, digital signature, etc., but, Access to files in this directory does not monitor, if access is also monitored, normal user access is also captured by Tripwire, which is not necessary. For the sake of convenience, the TripWire author made a common combination of template, as follows, # # templates: (default) R: [R] EAD-ONLY ( Pinusm12-a) # l: [l] og file ( pinug-sam12 ) # N: ignore [n] # e: ignore [e] Verything (-pinusgsamc12) # tw.conf.sunos5 This file is down, that is, the administrator is filled in according to the situation, and the file that needs to be monitored And the directory is added to the list, which gives the corresponding attribute. As follows: / r /.rhosts r # May not exist /.profile r # may not exist / etc / dfs / dfstab r /etc/Hosts.equiv r /etc/inet / putdd.conf r / etc / inet / protocols r / etc / inet / services r /etc/init.d R / etc / motord L # / etc / named.boot r # May Not Exist / etc / opt r / etc / passwd l / etc / profile r Step 3: Compile After completing two steps, you can compile. Under the roots of TripWire, execute make, the system will automatically compile, after the compilation is successful, you can perform Make Test, TripWire automatically check the compiler and working status, it will be a paragraph Test, we selected as follows: === Test.Update.sh: Description this Shell Script Exercises All The Tripwire Integrity Checking and Database Update FunctionAgities.
=== Test.Update.sh: setting up auxiliary scripts === === Test.Update.sh: begin === ../src/tripwire -loosedir -c /tmp/twtest/tw.config -d / TMP / Twtest / Tw.db -i all === Test.Update.sh: Testing growth (safe) files === === Test.Update.sh: testing growth (unsafe) files === === Test .UPDATE.SH: Testing added files === === Test.Update.sh: testing deleted files === === Test.Update.sh: Testing Changd files === === Test.Update.sh: Testing Input Schemes === === Test.Update.sh: Tw.config from stdin === Test.Update.sh: Database from stdin === Test.Update.sh: Testing complex update case === Test. Update.sh: Changed ignore-mask (Update file) === Test.Update.sh: Changed ignore-mask (update entry) === Test.Update.sh: Testing Updated Files (7 casees) === Test. Update.sh: Case 1: Update: add new file === === Test.Update.sh: case 2: Update: delete file === === Test.Update.sh: case 3: Update: Update File === === Test.Update.sh: case 4: nonsense case (skipping) === === T Est.Update.sh: Case 6: Update: delete entry === === Test.Update.sh: case 5: Update: add entry === ===
Test.Update.sh: case 7: update: update entalog === === Test.Update.sh: pass === We can see that TripWire is detected by UPDATE function, and in the last Pass After the TripWire all detection items, compiled is OK. Step 4: Generate the database successfully compile TripWire, we are ready to start scanning the file you need to monitor to generate the TripWire database, in the Tripwire's SRC directory: the following operations. / Tripwire -init, the system will start scanning and generate the corresponding database according to the settings in the Tw.conf.sunos5 file. The path to the database file is set in the second step Configh, in this case / var / tripwire, we got a database file called Tw.db_Secu.Unix.com. It is recommended to put the tripwire executable file, database file, profile Copy to floppy disk, etc., put it in a safe place. It is possible to execute it directly on the floppy disk when safe authentication is required. Step 5: Test the database generation, let's test it, first build a goadd file under Touch, follow us of the .cshrc files under the roots, add a few # note numbers inside. Then let's run TripWire how to see: / tripwire -c ./tw.config.sunos5 -d ./tw.db_secu.unix.com Tripwire (TM) ASR (Academic Source Release) 1.3.1 File Integrity Assessment Software (C 1992, Purdue Research Foundation, (C) 1997, 1999 Tripwire Security Systems, Inc. All rights reserved. Use restricted to authorized licensees.
### Phase 1: Reading Configuration File ### Phase 2: generating file list ./tripwire: /.profile: no such file or directory ./tripwire: / kernel / UNIX: No Such file or directory ### Phase 3 : Creating File Information Database ### Phase 4: Searching for Inconsistencies ### ### Total Files Scanned: 4437 ### Files Added: 1 ### files deleted: 0 ### files change: 1 ### # ## Total File Violations: 2 ### added: -rw-r - r - root 0 JUL 3 18:45:31 2000 / GoAdd Changed: -r - r - r - Root 669 JUL 3 18 : 46: 15 2000 /.cshrc ### Phase 5: generating observed / expected pairs for change files ### ### attr observed (what it shop be) Expected (What it shop be) ### ===== =================================== ================== ============== /.cshrc ST_SIZE: 669 668 ST_MTIME: MON JUL 3 18:46:15 2000 MON JUL 3 09:00:41 2000 ST_CTIME: MON JUL 3 18:46: 15 2000 MON JUL 3 09:00:41 2000 MD5 (SIG1): 3Z9GKJLZGQ5GBEWOXPYAF9 1Z7K0N3ZKAYUPPAZB1G8UQ SNEFRU (SIG2): 1VCDEMR45LPRCCCHMDITHIW 1ORYPPQ: Oza6HVX6zi4.ng It can be seen that the system runs through five steps, first read the configuration file, and then set the configuration file to be monitored, but the list of files do not exist. The third part generation file information library, the fourth step report check. We saw a total of 4437 files, one of which files were new, and one file changed.
