SUMMARY: scripts for md5 fingerprint and baseline config compar i sons

From: Brown, Melissa (BrownM@fhu.disa.mil)
Date: Wed Sep 27 2000 - 16:33:26 CDT


I have to say I've given up on this idea. A combination of lack of time and
being convinced to install the academic version of Tripwire 1.3.1 until we
get the new version purchased.
Installing the tripwire 1.3.1 was NOT easy and I'm still working on
configuring it, but I think it'll be better for the job than any perl script
I would have written myself.
Someone else has a script they wrote, I've included his information below in
the comment.

I had a lot of really good ideas and comments email to me and I've included
them below. My original request follows the comments.

Someone else, in house, compared Tripwire with both Axent's ESM and ITA and
said they did the same thing. I've worked with both of those tools and
didn't think they did the indept look that Tripwire is supposed to do.
Any comments on that -- email me! :-) I'd like to know if my install of
Tripwire is reinventing the wheel already running ESM/ITA

As always, thanks to a knowledgeable and helpful group.

-------------------------------------------------------------------------
Check out: http://www.cs.tut.fi/~rammer/aide.html
-------------------------------------------------------------------------
Have you looked at the Sun product "Configuration Service Tracker" on
Sunsolve web site.
-------------------------------------------------------------------------
check out
http://perl.oreilly.com/news/sysadmin_0800.html
This sounds like it is pretty close to what you are looking for.
-------------------------------------------------------------------------
You've described Tripwire, a now-commercial app that was once open
source/free/whatever we call it today. They have a web site at
www.tripwire.com. You can get the older (free-er) version on the web at
ftp://ftp.sage-au.org.au/pub/security/tools/host/tripwire/tripwire-1.2.tar.Z
.
It's probably available closer as well. A web search should find it
easily.

Rob
-------------------------------------------------------------------------
I use a heavily modified version of Dan Farmer's old COPS suite to do this.
I've modified the crc program to do md5 checksums. It is fed (stdin) a
list of files generated by a perl script that understands recursion,
exclusion
lists and exclusion patterns.

I back that up with another perl script (separate) that keeps a database of
setuid and setgid files, and reports any changes in the ctime of those
files.

If you want a copy, let me know, and I'll make up a tarball or something
for you
Ric Anderson (ric@opus1.com)
-------------------------------------------------------------------------
Sounds suspiciously like Tripwire.

Check the tools on http://www.securityfocus.com :)

Leonid S. Knyshov
Sr. UNIX Systems Administrator
-------------------------------------------------------------------------
   Two other file integrity packages besides Tripwire:

   ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz
   ftp://ftp.freeveracity.org/freeveracity_v300

-- 
Karl Vogel
-------------------------------------------------------------------------
There is a pretty simple package out there called Fcheck which will do
this finger printing for you provided you supply the MD5
binary.  It is a set of simple perl scripts, easy to configure and
keeps signature databases.  Can't remember where it is but a simple net
search for Fcheck will turn it up.  MD5 can be downloaded from
sunfreeware.com I believe.

-- John ------------------------------------------------------------------------- We use a combination of SH scripting, and Sun's Explorer with some grunt work thrown in...

I have a .sh script that simply checks file modified times and sizes against a log file (not MD5), as well as checking file contents from the explorer -vs- the current....

I'd be interested in see'n what you are talking about designing... ------------------------------------------------------------------------- Have you looked at "tripwire". I think this does what you want.

David ------------------------------------------------------------------------- Hi Melissa,

A lot of places use AIDE or tripwire for similar purposes :

http://www.cs.tut.fi/~rammer/aide.html

http://www.tripwire.com/

Regards, Justin Clift -------------------------------------------------------------------------

You can use old (free!) versions of tripwire (1.2 is free, and despite the bull, it works just fine).

Otherwise, writing your own integrity checker isn't too hard, just remember that you need to keep the database and config files on read-only media.

Carl ------------------------------------------------------------------------- If you're really concerned about security, storing the md5 sums on the same machine isn't very good. Of course, running anything on the suspect machine is subject to the same limitation. What are you trying to achieve from this process? Aside from that, you've got a reasonable basic idea already. The next steps that I'd take would be: compare each line (not the entire file, you don't want line ordering, or the presence/absence of individual entries to generate false alerts) to a secure version of the Sun Fingerprint database (either on locally mounted read-only media, or by doing a web look-up for each entry, or by caching the database in memory)

if the entry in your list doesn't appear in Sun's list, send e-mail (you may want to set up an exception list if you've got any local files in /usr/bin or /usr/sbin)

if the entry is in Sun's list, and it differs, send an alert (you'll want to supplement Sun's list for any locally modified binaries)

Yeah. Look at tripwire.

Why not get the older, free, public version to play with? If nothing else, it'd be a good framework to graft a "lookup against the Sun database instead of the previous tripwire run" hack.

Yeah, it's somewhat cumbersome, mainly because it's verbose. I use it daily,

and it's one of the first things I install on a production server. Of course, there's quite a bit of tuning to keep the level of "false" alerts down. The install is quite easy, and many of the defaults are OK. If you know your systems fairly well, it's a good tool.

Play with it...if nothing else, it'll give you an idea of what you want in a

commercial or home-grown solution.

Mark (I combined a couple of emails from Mark into one) -------------------------------------------------------------------------

-----Original Message----- I should have mentioned that I do plan on purchasing the current version of Tripwire. I thought I could do this in the interim while waiting for redtape/purchasing to deliver. It's been on my list, as probably elseone else's, to keep baseline configs nearby. I want to cross it off the list! :-) -----Original Message-----

I'm the last one to say I can write a script, but I will admit I can be tenacious about writing one until it works right! :-) BUT before I go off to invent the wheel, has anyone written a perl script that will baseline their configuration? (I'm Solaris 2.6, fully patched and secured--haha, don't flame me for that one!) I've searched the archives and I've searched the internet. I want to do two reports that I can run through cron, probably once a week: 1. List all the md5 executables, compare them to the last ones that were run, and then email a report of status. If there's a difference, of course, that can be used at Solaris Fingerprint. I've been breaking them done by directory, for example: find /usr/bin -type f -print | xargs -n100 /usr/local/bin/md5 > /rootdir/md5_bin.txt find /usr/sbin -type f -print | xargs -n100 /usr/local/bin/md5 > /rootdir/md5_sbin.txt 2. List baseline configuration, but not the dirs/files that change all the time like procs, and then do a comparison of last time it ran, emailing a report of status. Hopefully differences would be user dirs or ones the sysadmin knows had changes. This one is tougher... I'm not sure how to do the comparisons. ls -laR > /rootdir/machinename_date Has anyone done this yet??? If you have -- wanna share that information with me and I'm summarize?? :-) Thanks, Melissa

S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N sun-managers@sunmanagers.ececs.uc.edu A To unsubscribe from this list please send an email message to: G majordomo@sunmanagers.ececs.uc.edu E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:18 CDT