Scot L. Harris wrote:
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
It is not a virus defense, it is a host based intrusion detection tool.
Tripwires purpose is to periodically examine files specified in the
policy file and report any differences. These differences are an
indication that something was changed. If you are unable to trace the
cause to a system update or modification that you performed then it may
be an indication that someone else has modified files on your system.
In the past I have used things like Big Brother to examine the tripwire
reports and alarm if a violation is indicated.
Tripwire will not stop programs from running, you should look to selinux
to provide that kind of protection. Selinux will prevent a program from
trying to change files or perform operations that are not authorized by
the policy on the system.
That is where having the policy and database files used by tripwire
signed by a key. In order to update the database you must enter the
pass phrase used for the system. It is also a good idea to have
tripwire monitor its own executables and files so you will get notified
if those are changed.
Understand that tripwire is an IDS, it lets you know when something
appears to have changed. It is not a magic bullet but one part of a
system you can use to help protect your system.
Also note that tripwire is not prelink aware. You can scare your self
pretty bad if you setup a new system configure tripwire and then come
back the next day and most of the files in the system are flagged as
being changed. :)
Thanks for that Scot, looks like I'm going to have to study the selinux
manual!
Ian
If you are looking at security of your system start thinking about it in
layers. Start with a good firewall and set it to block things coming in
as well as going out. Only allow those things that you need to use.
Use iptables on your servers. This acts as a second firewall layer.
Setup tripwire which will alert you that something has changed. This
will reduce the amount of time that someone may have access to your
system.
Enable selinux. With the right policy this should limit potential
damage and exposure should someone manage to execute code on your
system.
Use good passwords. Disable all services you don't need/use.
Review your log files regularly, read roots email.
If you want to get really paranoid you can setup snort. Snort is a
network intrusion detection tool (depending on how it is configured it
could be an intrusion prevention system). It can notify when it sees
odd things on your network. It can also be configured to reactively
modify firewall rules in response to perceived threats. Similar lighter
weight apps like this include portsentry which can be used on individual
hosts.
Think of security as having multiple layers. That way if someone
penetrates one layer they should be blocked by another. To do damage
someone should would have to penetrate your firewall, iptables, selinux,
evade tripwire, break passwords, and elude snort. Most hackers will
move on to other systems that are not protected as well. And for the
most part that is what you want to achieve. Make your system just a
little harder to crack than then next on the Internet.
Excellent advice. I don't have any servers or a network though, my PC is
just a home PC connected directly to the net.
At one stage I had a home network set up with Smoothwall on a dedicated
PC, which had snort enabled. I used to check the logs occasionally, and
I was always gobsmacked at how many attempts to hack the box were
recorded. Hundreds a day sometimes.
Cheers, Ian