May 30 2002


                    LINUX NEWS
     Resources & Links From www.CramSession.com
             Thursday, May 30, 2002


TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Setting Up Hacker "Tripwires"

3) Linux Resources

Ximian CDs to Include Star Office
Linux vs SUN... Round N
Distros To Join Forces Against Red Hat
Linux Networks Much Cheaper Than Windows
X Clients, Servers, and Desktops, Oh My!

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~

Linux Administration Resource Kit: This $119.97 value is available for just $9.99. Learn about installing Linux on one PC or an entire network, integrating Linux into any network topology and troubleshooting installation, configuration and networking glitches.

Click for details! http://ad.brainbuzz.com/?RC06&AIS20

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp


1) Sean’s Notes

Many admins are good about turning off the services that they don’t need, so that script kiddies don’t take over their computer a scant six hours after it is first plugged into the Internet. Somewhat fewer make use of ipchains/iptables, and TCP wrappers, to only allow trusted hosts to connect. Fewer yet monitor for updates to software, and apply them (this latter number is likely getting better now that distros are getting better about notifying users). However, protecting your computer is only half the security equation. We spend so much time preparing for the inevitable attack that we forget to make a plan to deal with those that are successful.

Periodic auditing goes a long way toward ensuring that you haven’t been the victim of a successful attack. The same auditing procedures are also helpful in determining the extent of the attack.

One program that is a lifesaver when it comes to auditing is Tripwire (http://www.tripwire.org/). Tripwire takes a snapshot of your system by storing checksums of critical files. If anything about those files changes, it’ll be flagged the next time you run a check.

If your distribution doesn’t include Tripwire, you can get it from the link above.

The basic steps in using Tripwire are:

  1. Set up your keys and files you want to monitor
  2. Initialize the database
  3. Periodically check for changes
  4. Update database with approved changes, or act on unapproved ones

The last point bears mentioning – Tripwire only tells you that files have changed, it’s up to you to figure out if it was a legitimate change or not. If it was, Tripwire has the facilities to update the main database.

When you install Tripwire, it gives you a shell script called “twinstall.sh” (check /etc/tripwire/). When you run it, the first thing it will do is prompt you (twice) to enter a password for your site. After that, it prompts you to enter a local keyfile passphrase (twice again). The difference between them will soon be apparent. Make ‘em difficult to guess. At least 8 characters, use numbers and capitals too! Then, write them down, and keep them in a safe place. If you read what it spits out carefully, it suggests that you delete the two .txt files (twcfg.txt and twpol.txt). You can do so safely; we’ll see soon how to retrieve them.

By default, Tripwire comes with a comprehensive list of files that it monitors, so we’ll jump over to initializing the database.

tripwire –init

Your system will get quite busy for a few minutes as tripwire goes through your system and calculates checksums for the files (checksums are one way functions, such that if you change any of the input, such as the file, the output changes. Since a checksum is usually around 20 bytes, it’s a lot easier to store than a copy of the file itself)

If you look in /var/lib/tripwire, you’ll see a .twd file in there. That’s your Trip Wire Database. Between that, and the files in /etc/tripwire, you’ve got a snapshot of your database.

Time to run our first check of the system:

tripwire –check

The report that gets spit out is quite comprehensive. For example, I ran the following:

cd /sbin

cp hdparm hdparm.tmp

echo a »hdparm

That made a copy of hdparm, and then modified the original to have an ‘a’ at the end. Look what Tripwire found:


Rule Name: User binaries (/sbin)

Severity Level: 66

Added: “/sbin/hdparm.tmp”

Modified: “/sbin”


Rule Name: File System and Disk Administraton Programs (/sbin/hdparm)

Severity Level: 100

Modified: “/sbin/hdparm”

There’s no fooling Tripwire!

You’ll also notice that a lot of files were missing. That’s the trouble of going with defaults. The policy file is what tells Tripwire what it’s supposed to check. However, we erased the plaintext version after running twconfig.sh, which means we’ll have to retrieve it first:

twadmin –print-polfile > twpol.txt

vi twpol.txt

twadmin –create-polfile twpol.txt

Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol

“twadmin” is used to manage policy files and the like. –print-polfile prints the current policy to STDOUT, which I’ve redirected to twpol.txt. Second line, I edit it to remove the lines I don’t want, or to add more. Then, I create the new policy file. You’ll notice I’m being prompted for the site password – all configuration files are signed by the site key, so that no one can alter the list without your knowledge. By contrast, the local key is used whenever you need to make changes to the database. If a cracker were to think he were smart by modifying the database, that change would be noticed. Again, there’s no fooling Tripwire!

If you want to update the policy and the database at one go, you can use

tripwire –update-policy twpol.txt

instead of the last step. Otherwise, reinitialize the database with –init.

After the –check, you’ll see that /var/lib/tripwire/report has a .twr (Trip Wire Report) file in there. In order to update the database, we’ll need that.

tripwire –update –twrfile \

/var/lib/tripwire/report/FILENAME.twr

You’ll be presented with a copy of the report, along with

[X]

next to every change. If the X is left there, the change will will be written to the database once you exit the editor (and provide your local password, of course). Take it out, and it won’t be written to the database. Simple, eh?

Even though the complex system of signing databases and configuration files will prevent against tampering, it doesn’t help the files from being deleted by a frustrated cracker. Sure, you know you’ve been hacked, but you still don’t know what was changed. Therefore, keep a copy of all your keys on a CD. Keep another copy of the database somewhere in case the signature doesn’t check out.

Using Tripwire is an effective way of making sure nothing has been changed without your knowledge. Run the check every so often (Red Hat puts it as a daily cron job).

Red Hat also gives some good instructions on how to use Tripwire:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/c h-tripwire.html

Security is all about diligence. Some time spent at the onset can save you a lot of time later on.

Long live the Penguin,

Sean mailto:swalberg@cramsession.com


2) Linux News


Ximian CDs to Include Star Office

For a mere $60, you’ll be able to get a CD with both Ximian GNOME, and Star Office. This is part of a recent partnership announced earlier by Ximian and SUN. Solaris users also will find that Ximian Connector will soon be available, allowing you to connect to an Exchange 2000 server from your SUN workstation.

http://ximian.com/about_us/press_center/press_releases/soffice_6.ht ml


Linux vs SUN… Round N

I’m always interested in the way that the Linux community interacts with the commercial heavyweights such as SUN. Dr. Tormasov for SWSoft has responded to SUN propaganda earlier, and his latest letter is incisive.

http://www.sw-soft.com/en/news/id%2c1111


Distros To Join Forces Against Red Hat

We’re expecting that today Caldera, Conectiva, SuSE and Turbolinux will announce that they’re joining up forces to work on a single distribution that can hopefully compete against Red Hat. I’m not exactly thrilled by this, as SuSE might come out on the short end of the stick. I’ll be looking forward to seeing the final announcement.

http://newsforge.com/newsforge/02/05/29/138258.shtml?tid=3 http://www.eweek.com/article/0,3658,sp1&a’405,00.asp


Linux Networks Much Cheaper Than Windows

“The study (which looked at purchasing and operating costs) aimed to benchmark TCO for an organisation with 250 users, over three years. The costing models included staff costs, application licences, maintaining servers and workstations and networking, as well as miscellaneous systems costs.”

http://www.theregister.co.uk/content/5/25148.html


3) Linux Resources


X Clients, Servers, and Desktops, Oh My!

One of the things I’ve always found confusing about X-Windows is the relationship between clients, servers, window managers, desktop environments, and whatever else is needed to make it all work. Here’s a great explanation, along with other useful stuff such as how to change your desktop environment… or is that window manager?

http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s 1-x-clients.html


Cramsession Security Newsletter

Security has always been a great topic, which is why I’m happy to see that Cramsession (the guys that bring you this newsletter) have started up a security newsletter. First issue has already gone out, so subscribe before you miss any more!

http://newsletters.cramsession.com/signup/default.asp


Need Some Case Studies

Linux guru and frequent poster “linux_boy” has posted his list of case studies and industry reports dealing with Linux. Quite a bit of stuff here!

http://boards.cramsession.com/boards/vbm.asp?mV3625


K-12 Linux Terminal Server Project

Here’s some great information on how one school used the K-12 LTSP to cut costs and increase productivity in their computer labs. Information on costs and other functionality can be found here.

http://www.linuxplanet.com/linuxplanet/reports/4216/2/


Linux and Aviation

“This document is intended to provide pointers to software packages that run under the Linux operating system and are useful to private, commercial, or military pilots. The ultimate goal is to enable pilots to use the Linux operating system for all their aviation related computing needs, totally eliminating the need for other operating systems. I want to encourage pilots who are already using Linux to contribute to this document, either by providing pointers to existing software, or by writing new applications for Linux.”

http://ibiblio.org/fplan/Aviation-HOWTO/Aviation-HOWTO.html


4) App o’ the week

lbnamed is a name server written in perl. The difference is that instead of reading from static files, requests can be handled by perl code. For example, you might normally do round robin DNS for a web farm. With lbnamed, you could have it always return the server that has the lowest load average.

http://www.stanford.edu/~riepel/lbnamed/


(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.


     This message is from CramSession.com.

You are currently subscribed to the Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail: send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com


To Subscribe to this newsletter by e-mail: send a blank email message to:

mailto:join-linuxnews@list.cramsession.com