Professional Documents
Culture Documents
10/06
Presentation Outline
10/06
10/06
10/06
Tripwire
10/06
Ellens Challenge
10/06
Checking Techniques
10/06
10/06
10/06
10/06
10/06
Selection Mask
Example:
+pinugsm12-a
user id
inode number
group id
modification timestamp
signature 2
access timestamp
newly
generated
database
compare
tw.config
file
old
database
10/06
apply
ignore-masks
Tripwire
report
10/06
10/06
Signature Support
10/06
Supported Platforms
10/06
Sample Ouput
: ### Phase 1:
: ### Phase 2:
: ### Phase 3:
: ### Phase 4:
: ###
: ###
: ###
: ###
: ###
: ###
: ###
10/06
5143
0
0
5
10/06
Conclusion
Portable
Self-contained
Adaptable to large and small sites
Very restricted in what it sees -- only OS
attribute changes of files
It has no clue as to what users are
actually doing!
10/06
The End
10/06
Templates
read-only files: Only the access timestamp is
ignored.
log files: Changes to the file size, access and
modification timestamp, and signatures are
ignored.
growing log files: Same flags as log files except
increasing files sizes are ignored.
ignore nothing
ignore everything
10/06
Example tr.config
# file/dir
selection-mask
/etc R
# all files under /etc
@@ifhost solaria.cs.purdue.edu
!/etc/lp
# except for SVR4 printer logs
@@endif
/etc/passwd R+12 # you cant be too careful
/etc/mtab
L
#dynamic files
/etc/motd
L
/etc/utmp
L
=/var/tmp
R
# only the directory, not its contents
10/06
10/06
Stealth-Tripwire
10/06
Paranoia
10/06
Portability
10/06
10/06
10/06
10/06
10/06
10/06
Configurability Aids
Prefixes to the tw.config allow for pruning a directory and/or its contents can be
excluded from monitoring
10/06
10/06
Good News
10/06
10/06
10/06