Pre-deployment security (Tripwire, etc.)

[Bair,Paul A.]

On Mon, 2006-02-27 at 10:57 -0500, Ben Scott wrote:
> Hi all,
> 
>   A good thing to do would be to use Tripwire or similar to build a
> "known good" database of file signatures prior to deployment.  When it
> comes to intrusion detection and compromise recovery, this is the only
> way to be sure.
> 
>   I did some work with Tripwire and alternatives a few years ago,
> although I haven't touched it recently.  Anyone want to toss out
> alternatives/suggestions/best practices/etc?
> 

I would recommend ftimes as an alternative to tripwire.  It captures
quite a lot of information for both windows and unix file systems.  

Here's an example execution.  The commands below collect all file system
information for the /tmp directory and send the output to a file.

# ftimes --mapauto all -l 6 /tmp > /tmp/baseline.map
# ftimes --mapauto all -l 6 /tmp > /tmp/snapshot.map

Here's what the baseline.map file looks like, the pipe character is the
delimiter.

# head -3 /tmp/baseline.map 

name|dev|inode|mode|nlink|uid|gid|rdev|atime|mtime|ctime|size|magic|md5
"/tmp/.snap"|1040|3|40775|2|0|5|3016|2006-02-21 08:05:29|2006-01-20
14:55:58|2006-01-20 14:55:58|512||DIRECTORY
"/tmp/err"|1040|5|100644|1|0|0|3024|2006-02-23 16:27:07|2005-07-09
00:30:26|2005-07-09 00:30:26|2698||6decb5604954792a16e0cdd22ff71cb5

It's trivial to compare a baseline and snapshot as shown with the
command below.  The results follow the command which shows
that /tmp/snapshot.map is a new file (N), and the /tmp directory
and /tmp/baseline.map files have changed (C).

# ftimes --compare all-atime-magic /tmp/baseline.map /tmp/snapshot.map

category|name|changed|unknown
C|"/tmp/baseline.map"|size,md5|
N|"/tmp/snapshot.map"||
C|"/tmp"|mtime,ctime|

You can get ftimes here:

http://ftimes.sourceforge.net/FTimes/index.shtml

If you have any questions on ftimes, you can email me directly.  I
support and contribute to the project.


--- Andy