Re: Tripwire output on Solaris 2.7

From: Gary Mulder (gary@cgen.com)
Date: 10/11/01


Message-ID: <3BC602DD.BAF33523@cgen.com>
Date: Thu, 11 Oct 2001 16:36:45 -0400
From: Gary Mulder <gary@cgen.com>
To: Simon Crowther <SCrowthe@msxi-euro.com>
Subject: Re: Tripwire output on Solaris 2.7

Simon,

You need to examine the files that Tripwire has detected as changed. Most can
be attributed to normal file changes due to user activity and reboots. Unless
it's a permissions or ownership change, I usually ignore changes to special
files such as named pipes and devices.

For every non-special (ie. regular) file, you need to ask yourself: Did I or
someone on the system make a change to do something to cause a change in that
file on that date? If yes, then you're fine.

The one that I would really look at is /etc/oshadow, my (limited) understanding
is that when someone changes a shadow password field (eg. by using the passwd
command) /etc/oshadow is the backup made before the change is made. I don't see
/etc/shadow marked as changed, so this might be suspicious.

Note also that your Tripwire checking is only as secure as the Tripwire binary
and database. If they're editable by root then anybody who gets root on your
system can fake out Tripwire. At worst you need to manually checksum these two
files and store the checksum result off-computer (I think there's a util
provided with Tripwire called siggen that will do this for you). Somewhat
better is storing your binary and database on a read-only NFS share as well.
The ultimate best way to store them is to put them on a read-only mounted
write-protected floppy or CDROM.

I also keep multiple historic database copies so I can determine when
particular files changed on my system. This is very useful when you've got
multiple Admin's mucking with systems and changing things without documenting
their changes!

-- 
Gary Mulder
System Administrator,
Compugen, Inc.
http://www.cgen.com



Relevant Pages

  • RE: tripwire config
    ... has tampered with your files, say if your server is a web server, a file ... I also don't quite understand what tripwire has to do with those billions of ... |the tripwire binaries or database so that rootkits, ... |box will alert the attacker to be extra cautious. ...
    (Security-Basics)
  • Re: tripwire --check does not require a passphrase
    ... > Suppose one has a system configured with tripwire, ... > Because 'tripwire --check' does not require a passphrase, ... > than trying to update the database one day and discovering that his ... md5 value and database to removable media such as a floppy disk or zip disk. ...
    (comp.security.unix)
  • Re: tripwire - problems with database and policy update
    ... > Because i got an error message indicating that the policy file in use ... I am quite sure that i used this policy file during ... > the database init, but i made a lot of changes to the system after ... I went through this repeatedly when I first set up tripwire on my ...
    (comp.os.linux.security)
  • Re: Tripwire for Dummies
    ... > I read that it was best to move the tripwire database to a read-only ... > medium (floppy or cdrom). ... > and ended up with 3MB database. ... I've had a quick search for the documentation in question but can't find ...
    (FreeBSD-Security)
  • Re: tripwire - problems with database and policy update
    ... :> Because i got an error message indicating that the policy file in use ... I am quite sure that i used this policy file during ... :> the database init, but i made a lot of changes to the system after ... :> tripwire --update-policy mypol.txt ...
    (comp.os.linux.security)