SEG IDS Tripwire

Rafael Garda Maliga

indice
Objetivo ,Que es un IDS?
lmplernentacion lnstalacion y confiquracion de TRIPWIRE

3 3
3

3
11 13 13

Configuraci6n para la puesta en marcha Generando la base de datos Creaci6n de informes

2

Objetivo
Instalar tripwire y configurarlo de forma que no se produzcan errores con la configuraci6n actual. Modificar 0 eliminar alqun fichero de configuraci6n y generar el correspondiente informe para comprobar el funcionamiento del IDS Tripwire.

lQue es un IDS?
Un sistema de deteccion de intrusos (0 IDS de sus siglas en ingles Intrusion Detection System) es un programa usado para detectar accesos no autorizados a un computador o a una red. Estos accesos pueden ser ataques de habilidosos hackers, 0 de Script Kiddies que usan herramientas autornaticas. EIIDS suele tener sensores virtuales (por ejemplo, un sniffer de red) con los que el nucleo del IDS puede obtener datos externos (generalmente sobre el trafico de red). EI IDS detecta, gracias a dichos sensores, anomalfas que pueden ser indicio de la presencia de ataques 0 falsas alarmas. Ampliar informaci6n.

Implementaci6n
lnstalacion y confiquracion de TRIPWIRE Para instalar la aplicaci6n, abrimos un terminal yejecutamos: # apt-get install tripwire Esperamos que termine de descargar y seguidamente nos rnostrara un asistente para el cual seguiremos los pasos que se describen a continuaci6n:

3

select

the mail server

cenf.l.quratden type that best meets your

No cOlllfiguratiolll: Should be choselll to leave the currelllt cOlllfiguratiolllunchalllged. IllIterllletite: s Mail is sent and received directly us.tnq SMTP. IllIterllletith smarthost: w Mail is received directly using SIMTP or by runnl.nq a utility such as fetchmail. Outgoilllg mail is sellltusing a smarthost. satel Lite system: All mail is sellltto alllother machillle, called a 'smarthost', for deUvery. Local olllly:

IllIterlllet with ~marthost Satellite stem

<Calllcel>

4

Tripwi re uses a pal r of keys to siglll va rtcus f Hes, thus ensu ril1lg thei r 1I1l1altered state. By acceptilllg here, YOll will be prompted for the passph rase fn r the f i rs t of those keys, the s i te key, du r inq the Ins ta natiolll. You a re aLso ag reetnq to c reate a s i te key if ollie dnesn "t exist already. Tripwi re uses the sl te key to s iqn f Lles that may be commolllto mllltiple systems, e.g. the cOlllfigllratiolll & policy files. See twf i l es (5} for more Infernat i.en.
WJllIh rtunately. due to the I)ebialll Insta natiolll process, there is a period of time where this passph rase exists In a unenc ryp ted h rmat , Were an attacker to have access to YOllr machillle dllrilllg this period, he ceu'ld pess ib ly ret rteve yeu r passph rase and lise H at sene later pntnt . If YOll wOllld rather

net have this

expesu re,
)

dec'[Ine

here.

Yeu win

then

[ <nk>

li)o YOll wish to create/lise

I[

.j~
YOll site r

key passph rase
<No>

du rilllg Insta l1ati!:m?

5

Tripwi re uses a pal r ef keys te sigl1l va rtcus f Hes, thus ensu ril1lg thei r 1I111altered state. By acceptil1lg here, YOll will be prompted for the passph rase fn r the second of those keys, the local key, dllril1lg the il1lstallatiol1l. YOll are also agreeil1lg to create a local key if ollie duesn"t exist already. Tripwi re uses the local key to s iqn f Lles that are specific to this system, e.g. the tripwire database. See twfiles(5) for more il1lformatiol1l.
WJl1Ih rtunately

due to the l)ebial1l Insta llatiol1l process, there is a period of time where this passph rase exists In a 1I111el1lCted h rmat , Were an ryp attacker to have access to YOllr machil1le dllril1lg this period he ceu'ld pess ib ly ret rteve yeu r passph rase and lise it at some later pntnt .
I I

If YOll wOllld rather

net have this

expesu re,
<nk>

dec'[Ine

here.

Y©lJwill

then

l[

~I

li)o YOll wish to create/lise

YOll local r

key passph rase

du ril1lg Insta l1ati!:m?

~dI]1

6

Tripwi re keeps its cenf Iqu rat len In a enc rypted gellierated, by default, from letc/t ripwi re/twcfg.

database txt

that

is

AIlIYchanges to letc/tripwire/twcfg. txt, either as a result of a change illl this package or due to admilliistrator activity, require the reqenerat ten of the enc rypted database befu re they will take effect. se'lect Inq this key passph rase Rebuild Tripwire act len will result In yuur bednq prompted for the site du rillig the post - Ins ta llatiolll process of this package. cOllifiguratiolli file?
<No>

11l1li )

Tripwire keeps its policies 0111 what attributes of which files should be mOlliitored illl a ellicrypted database that is gellierated, by default, from letc/tripwireltwpol. txt AIlIYchanges to letc/t ripwi re/twpo 1. txt, either as a result of a chanqe In this package 0 r due to adninl st rate r act i vi ty, requi re the reqenerat ian of the enc ryp ted database befn re they will take effect. Selectillig this key passphrase Rebuild Tripwire actiolll will result illl your beillig prompted for the site durillig the post-illistallatiolli process of this package. policy file?
)1

I[l1li

7

,-----------------11

Get si te passphrase 111-------------------" Tripwi re uses two dl f terent keys to r authent Icat.ten and encrypt.len of files. The site key is used to protect f i Ies that ceutd be used across several systems. This Inc ludes the pn Hey and cunf Iqurat iun f Ll es ,
because 1110 site key the rebllildimg of the

Yeu are beimg prOlllpted to r this passph rase either exists at this tillle or becallse YOll have reqllested policy or comfigllratiom files. Remember this passph rase; it

is mot sto red amywhere!

Get sf.te passphrase 111-------------,
pass the siteph rase to be su re key passph rase:

'*'********

,-------------------------

<Ok>

8

set local passphrase ;,1-------------------" di f terent keys to r authent Icat.ten and enc rypt lun of key is used to protect f Ll es specific to the local machime, such as the Tripwire database. The local key may also be used to r s Iqninq Inteq ri ty check repn rts ,
You are beimg prompted current l.y exi sts . Remember this Emter local
,*",,*,,,,,,,*,,,,,,,*

for this

passphrase

because

mo local

key file

passph rase; key passphrase:

it is mot sto red amywhere!

-----------------------------

9

Tripwire

has been installed

The Tripwi re btna rtes a re located in /us rIsbin and the database is located in Ivar/lib/tripwire. It is strongly advised that these locations be stored on write-protected media (e.g. mOllnted RD floppy). See IllSrIsha re/doc/t ripwi re/REAI)'ME.iOebian fo r details.

II '~II il

Con esto ya terminado

la instalaci6n y configuraci6n

del asistente de Tripwire.

10

Confiquracion para la puesta en marcha Aunque en la instalaci6n ya hemos configurado algunos parametres como la contraseria, mail, etc. EI servicio aun no est a disponible para su uso sin antes configurar algunos puntos que mas adelante veremos. Continuemos, 10 primero que tenemos que hacer es inicializar la base de datos de Tripwire, para efectuar esto introducimos el siguiente comando en el Terminal: # tripwire -init

~-fite Edit

root@ubuntu: View Search

fhomefdexter Terminal Help

iii

:### filename: /p rocfJee2jfdj4 ### No such file or directory ### Continuing ... ### Warning: file systellfl rror. e ### filename: /proc/3ee2/fdiUlfo/4 ### No such file or directory ### Continuing ... ### Warning: file systellfl rror. e ### filename: /proc/3ee2/taskj3ee2/fd/4 ### No such file or directory ### Continuing ... ### Warning: file systellfl rror. e ### filename: /proc/3ee2/taskj3ee2/fdinfoj4 ### No such file 0 r di recto ry ### Continuing ...

The obj ect: "/proc/h/vllflblock/lDlOuntpoiUlt" is 001 a different file sys ten ... Iqno r i ng. The object: "/p rocjsys/fs/binflllt_lIlisc" is on a diffe rent file sys teill..Iqno ring. . ### Warning: Duplicate object encountered. ### /proc/sys/net/ipv6jneigh ### COUltiUlUiUlg.. . Wrote database file: jvarjlibjtripwirejubuntu.twd The database was successfully generated.
rccteubuntu: /home/dexte r#

I

Como podemos observer, nos devuelve una serie de errores, esto es debido a que Tripwire hace referencia a ficheros inexistentes. Esto 10 solucionaremos modificando el fichero /etc/tripwire/twpol.txt y comentando todas las Ifneas que incluyan el nombre "root", "/etc/rc.boot" y al final del documento la Ifnea que incluye "/proc".

11

12

Despues de modificar y salvar los cambios ejecutamos: # twadmin -m P twpol.txt

Generando la base de datos Llegados a este paso, volvemos a ejecutar el comando: # tripwire -init Si todo ha salido correctamente
~-

el resultado deberia ser este:

root@lJblJl'ltlJ: /etc/tripwire

iii

file Edit View Search Terminal Help Iroot@ubuntu:/etc/tripwire# tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database ... ~** Processing Unix file System *** The object: "/dev/pts" is on a different fHe system The object: "/dev {shllfl" on a di He rent fHe system is Wrote database file: /var/lib/tripwire/ubuntu.twd The database was successfully generated. root@ubuntu:/etc/tripwire#

ignoring. Iqno ring.

Creacion de informes Los informes recogen informaci6n de nuestro equipo con el objetivo de registrar los errores que pueden dar lugar. La creaci6n de informes con Tripwire es muy sencilla, tan solo tenemos que escribir en consola el siguiente comando: # tripwire =check > informe_OOl.txt 13

~-

-

root@-UlbUlnJtu: /etc/tripwire

iii

file Edit View search Terminal Help Iroot@ubuntu:/etc/tripwire# tripwire --check> informe eel.txt Iroot@ubuntu:/etc/t-J~wire# 15 linfor~e @el.txt tw.cfg tw.po1 twpo1.txt ~ite.key twcfg.txt tw.po1.bak ubuntu-1oca1.key root@ubuntu:/etc/tripwire#

Tripwire genera los informes cada vez que ejecutamos el comando "tripware --check" y posteriormente los almacena por defecto en /var/lib/tripwire/report, es decir, que si hacemos un listado (comando //15//) de su contenido podremos ver todos los informes que se hayan ido generando. Estos informes generados aquf no pueden ser abiertos con el editor de texto puesto que estan codificados por eso usamos una salida estandar ">" para realizar una copia legible.

Abrimos nuestro informe "inforrneOut.txt"

para analizar su contenido:

14

En mi caso solo encontramos que fueron encontradas un total de 4 violaciones pero como muestra el informe, sin ninqun error.

Y con esto hemos acabado.

15

Sign up to vote on this title
UsefulNot useful