2002 05 30


                    LINUX NEWS
     Resources & Links From www.CramSession.com
             Thursday, May 30, 2002


TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Setting Up Hacker "Tripwires"

3) Linux Resources

Ximian CDs to Include Star Office
Linux vs SUN... Round N
Distros To Join Forces Against Red Hat
Linux Networks Much Cheaper Than Windows
X Clients, Servers, and Desktops, Oh My!

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~

Linux Administration Resource Kit: This $119.97 value is available for just $9.99. Learn about installing Linux on one PC or an entire network, integrating Linux into any network topology and troubleshooting installation, configuration and networking glitches.

Click for details! http://ad.brainbuzz.com/?RC06&AIS20







For information on how to advertise in this newsletter
please contact mailto:adsales@CramSession.com or visit
http://cramsession.com/marketing/default.asp

-------------------------
1) Sean's Notes
-------------------------

Many admins are good about turning off the services that they
don't need, so that script kiddies don't take over their
computer a scant six hours after it is first plugged into the
Internet. Somewhat fewer make use of ipchains/iptables, and TCP
wrappers, to only allow trusted hosts to connect. Fewer yet
monitor for updates to software, and apply them (this latter
number is likely getting better now that distros are getting
better about notifying users). However, protecting your
computer is only half the security equation. We spend so much
time preparing for the inevitable attack that we forget to make
a plan to deal with those that are successful.

Periodic auditing goes a long way toward ensuring that you
haven't been the victim of a successful attack. The same
auditing procedures are also helpful in determining the extent
of the attack.

One program that is a lifesaver when it comes to auditing is
Tripwire (http://www.tripwire.org/). Tripwire takes a snapshot
of your system by storing checksums of critical files. If
anything about those files changes, it'll be flagged the next
time you run a check.

If your distribution doesn't include Tripwire, you can get it
from the link above.

The basic steps in using Tripwire are:

1. Set up your keys and files you want to monitor
2. Initialize the database
3. Periodically check for changes
4. Update database with approved changes, or act on unapproved ones

The last point bears mentioning -- Tripwire only tells you that
files have changed, it's up to you to figure out if it was a
legitimate change or not. If it was, Tripwire has the facilities
to update the main database.

When you install Tripwire, it gives you a shell script called
"twinstall.sh" (check /etc/tripwire/). When you run it, the
first thing it will do is prompt you (twice) to enter a
password for your site. After that, it prompts you to enter a
local keyfile passphrase (twice again). The difference between
them will soon be apparent. Make 'em difficult to guess. At
least 8 characters, use numbers and capitals too! Then, write
them down, and keep them in a safe place. If you read what it
spits out carefully, it suggests that you delete the two .txt
files (twcfg.txt and twpol.txt). You can do so safely; we'll
see soon how to retrieve them.

By default, Tripwire comes with a comprehensive list of files
that it monitors, so we'll jump over to initializing the
database.

# tripwire --init

Your system will get quite busy for a few minutes as tripwire
goes through your system and calculates checksums for the files
(checksums are one way functions, such that if you change any
of the input, such as the file, the output changes. Since a
checksum is usually around 20 bytes, it's a lot easier to store
than a copy of the file itself)

If you look in /var/lib/tripwire, you'll see a .twd file in
there. That's your Trip Wire Database. Between that, and the
files in /etc/tripwire, you've got a snapshot of your database.

Time to run our first check of the system:

# tripwire --check

The report that gets spit out is quite comprehensive. For
example, I ran the following:

# cd /sbin
# cp hdparm hdparm.tmp
# echo a >>hdparm

That made a copy of hdparm, and then modified the original to
have an 'a' at the end.  Look what Tripwire found:

----------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
----------------------------------------------------------------

Added:
"/sbin/hdparm.tmp"

Modified:
"/sbin"

----------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/hdparm)
Severity Level: 100
-----------------------------------------------------------------

Modified:
"/sbin/hdparm"

There's no fooling Tripwire!

You'll also notice that a lot of files were missing. That's the
trouble of going with defaults. The policy file is what tells
Tripwire what it's supposed to check. However, we erased the
plaintext version after running twconfig.sh, which means we'll
have to retrieve it first:

# twadmin --print-polfile > twpol.txt
# vi twpol.txt
# twadmin --create-polfile twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

"twadmin" is used to manage policy files and the like.
--print-polfile prints the current policy to STDOUT, which I've
redirected to twpol.txt. Second line, I edit it to remove the
lines I don't want, or to add more. Then, I create the new
policy file. You'll notice I'm being prompted for the site
password -- all configuration files are signed by the site key,
so that no one can alter the list without your knowledge. By
contrast, the local key is used whenever you need to make
changes to the database. If a cracker were to think he were
smart by modifying the database, that change would be noticed.
Again, there's no fooling Tripwire!

If you want to update the policy and the database at one go,
you can use

# tripwire --update-policy twpol.txt

instead of the last step. Otherwise, reinitialize the database
with --init.

After the --check, you'll see that /var/lib/tripwire/report has
a .twr (Trip Wire Report) file in there. In order to update the
database, we'll need that.

# tripwire --update --twrfile \
  /var/lib/tripwire/report/FILENAME.twr

You'll be presented with a copy of the report, along with

\[X]

next to every change. If the X is left there, the change will
will be written to the database once you exit the editor (and
provide your local password, of course). Take it out, and it
won't be written to the database.  Simple, eh?

Even though the complex system of signing databases and
configuration files will prevent against tampering, it doesn't
help the files from being deleted by a frustrated cracker.
Sure, you know you've been hacked, but you still don't know
what was changed. Therefore, keep a copy of all your keys on
a CD. Keep another copy of the database somewhere in case the
signature doesn't check out.

Using Tripwire is an effective way of making sure nothing has
been changed without your knowledge. Run the check every so
often (Red Hat puts it as a daily cron job).

Red Hat also gives some good instructions on how to use Tripwire:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/c
h-tripwire.html

Security is all about diligence. Some time spent at the onset
can save you a lot of time later on.

Long live the Penguin,

Sean
mailto:swalberg@cramsession.com


-------------------------
2) Linux News
-------------------------

---------------------------------
Ximian CDs to Include Star Office
---------------------------------
For a mere $60, you'll be able to get a CD with both Ximian
GNOME, and Star Office. This is part of a recent partnership
announced earlier by Ximian and SUN. Solaris users also will
find that Ximian Connector will soon be available, allowing
you to connect to an Exchange 2000 server from your SUN
workstation.

http://ximian.com/about_us/press_center/press_releases/soffice_6.ht
ml


-----------------------
Linux vs SUN... Round N
-----------------------
I'm always interested in the way that the Linux community
interacts with the commercial heavyweights such as SUN.
Dr. Tormasov for SWSoft has responded to SUN propaganda
earlier, and his latest letter is incisive.

http://www.sw-soft.com/en/news/id%2c1111


--------------------------------------
Distros To Join Forces Against Red Hat
--------------------------------------
We're expecting that today Caldera, Conectiva, SuSE and
Turbolinux will announce that they're joining up forces to
work on a single distribution that can hopefully compete
against Red Hat. I'm not exactly thrilled by this, as SuSE
might come out on the short end of the stick. I'll be
looking forward to seeing the final announcement.

http://newsforge.com/newsforge/02/05/29/138258.shtml?tid=3
http://www.eweek.com/article/0,3658,sp1&a'405,00.asp


----------------------------------------
Linux Networks Much Cheaper Than Windows
----------------------------------------
"The study (which looked at purchasing and operating costs)
aimed to benchmark TCO for an organisation with 250 users,
over three years. The costing models included staff costs,
application licences, maintaining servers and workstations
and networking, as well as miscellaneous systems costs."

http://www.theregister.co.uk/content/5/25148.html


-------------------------
3) Linux Resources
-------------------------

----------------------------------------
X Clients, Servers, and Desktops, Oh My!
----------------------------------------
One of the things I've always found confusing about X-Windows
is the relationship between clients, servers, window managers,
desktop environments, and whatever else is needed to make it
all work. Here's a great explanation, along with other useful
stuff such as how to change your desktop environment... or is
that window manager?

http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s
1-x-clients.html


-------------------------------
Cramsession Security Newsletter
-------------------------------
Security has always been a great topic, which is why I'm
happy to see that Cramsession (the guys that bring you this
newsletter) have started up a security newsletter. First
issue has already gone out, so subscribe before you miss any
more!

http://newsletters.cramsession.com/signup/default.asp


----------------------
Need Some Case Studies
----------------------
Linux guru and frequent poster "linux_boy" has posted his
list of case studies and industry reports dealing with Linux.
Quite a bit of stuff here!

http://boards.cramsession.com/boards/vbm.asp?mV3625


----------------------------------
K-12 Linux Terminal Server Project
----------------------------------
Here's some great information on how one school used the
K-12 LTSP to cut costs and increase productivity in their
computer labs. Information on costs and other functionality
can be found here.

http://www.linuxplanet.com/linuxplanet/reports/4216/2/


-------------------
Linux and Aviation
-------------------
"This document is intended to provide pointers to software
packages that run under the Linux operating system and are
useful to private, commercial, or military pilots. The
ultimate goal is to enable pilots to use the Linux operating
system for all their aviation related computing needs,
totally eliminating the need for other operating systems.
I want to encourage pilots who are already using Linux to
contribute to this document, either by providing pointers to
existing software, or by writing new applications for Linux."

http://ibiblio.org/fplan/Aviation-HOWTO/Aviation-HOWTO.html


-------------------------
4) App o' the week
-------------------------
lbnamed is a name server written in perl. The difference is
that instead of reading from static files, requests can be
handled by perl code. For example, you might normally do
round robin DNS for a web farm. With lbnamed, you could have
it always return the server that has the lowest load average.

http://www.stanford.edu/~riepel/lbnamed/

-------------------------
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
-------------------------
-------------------------

         This message is from CramSession.com.

You are currently subscribed to the
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail:
   send a blank email message to:
   mailto:leave-linuxnews-3825955Y@list.cramsession.com

-------------------------------------------------------

To Subscribe to this newsletter by e-mail:
   send a blank email message to:
   mailto:join-linuxnews@list.cramsession.com
-------------------------