Thanks to all who responded. Here are the responses i received.
From: Joe Fletcher <joe_at_meng.ucl.ac.uk
Hi,
The prime target for modifications to ls/ps etc recently is Solaris.
There's an exploit based on either ntp or snmpdmiX which allows to
hacker
to "root kit" the system. To date I've not seen the same exploit used on
on Tru64. The way most people find out they've been hacked is any file
with 01 in the name disappears from ls listings. The hack may get ported
to
Tru64 but hopefully Compaq will preepmt this. The built-in fverify may
be
of some use to you.
From: lrs22_at_att.net
Tru64 auditing can be used to monitor activity against
selected files.
For the example you present, I would enable the
object_selection mode which will reduce the level of
auditing to cover only those files you designate.
Then, specify the files and the system calls of concern.
The resulting audit data will reflect the specified
syscall activity performed on the specified files.
(A more comprehensive explanation is in the Security
book.)
To enable object selection
# auditmask -s obj_sel
To mark the files of concern
# auditmask -x /usr/bin/login -x /usr/bin/ps \
-x /usr/bin/ls
-or-
create a list of files, then
# auditmask -X file_list
where "file_list" is the name of this list
To specify the syscalls
# auditmask obj_creat obj_delete
where "obj_creat" and "obj_delete" are aliases for sets
of syscalls which can either open or remove an object
(data within an object cannot be modified without first
opening the object). These aliases are defined in
/etc/sec/event_aliases. Or, you can specify any set of
syscalls which are relevant for your environment. You
can also selectively audit just the successful opens and
removes, or all the opens and removes (or just the
failed attempts).
This approach to monitoring your files will be able to
tell when the file was modified and who did the
modification. Tools which monitor the file checksum
can only tell you whether a file was modified, not who,
when, nor tell you about any failed attempts. Which tool
you select depends on the information you wish to
collect.
Side issue: In order to modify any of the files you
listed, a process would need to be running as root. If
this is happening, then it would be difficult to
guarantee most security mechanisms. Databases of
checksums, if online, can be altered. The checksum
utility can be altered. Audit data can be deleted. The
truly paranoid might need to write the audit data either
to a device, such as a WORM, or over the network to a
(more) secure system. In practice, any security measure
provides just a level of assurance.
For information on setting up auditing, the relevant
manpages are:
audit_setup
auditmask
auditd
and for analyzing the data:
audit_tool
Additional information is available in the Security
book.
Hope this helps.
lrs
Final Note:
Another person said they were using COPS but wanted to move to TripWire
but had been unsuccessful in compiling it on Tru64 so far.
Original post:
We're running tru64 v4.0f pk0005 and i would like to start monitoring
changes to certain O/S files such as "/usr/bin/login", "/usr/bin/ls"
and "/usr/bin/ps". I've read recently in an issue of Sys Admin that
these, as well as some others
are well known targets for hackers. Is the native tru64 file auditing
system
a good way of monitoring these types of files????? Or would i be better
off
using TripWire???
I would also be interested in any good pointers on how to setup either
of these tools.
TIA,
clos_at_trentu.ca
--
Received on Sat May 05 2001 - 02:38:18 NZST