UNIX System Administration Handbook - Evi Nemeth [396]
st_ctime: Sat Jan 22 12:04:42 2000 Fri May 14 05:11:41 1999
In this example, tripwire reports that the inode change time of /bin/tcsh is different from what it was when the database was generated. This may be an indication that a wily hacker has replaced the vendor’s version of /bin/tcsh with one that contains a surprise waiting to be found the next time the shell is executed by root. Comparing the checksum of the executable with the version on the distribution tape (use the siggen utility that comes with tripwire to do this) can confirm or deny this as potential hacker droppings. Since some hackers are wily enough to rig the checksums on modified files, tripwire uses two different checksum methods.
tripwire is a bit unusual in that it started out as free software but was later privatized and turned into a commercial product. However, it’s not really possible to unrelease something that was formerly free. Tripwire, Inc., has graciously continued to make the free version available and has even released commercial-quality documentation and updates for it. It’s available from their web site, www.tripwiresecurity.com.
Forensic tools
One up-and-coming security power tool (tool kit, actually) is The Coroner’s Toolkit (TCT) from Dan Farmer and Wietse Venema. TCT is a collection of utilities that help to analyze the system after a security breach has occurred. It’s known to work on Solaris, Red Hat, and FreeBSD systems, but not on HP-UX (yet).
TCT helps you to identify both what happened and how it happened. In some cases, it will even recover data that was destroyed during the break-in. One particularly interesting utility is mactime, a program that tracks the modification, access, and change times for all files on the system. Although mactime wasn’t ready for public consumption at press time, it should be available from www.fish.com/security by the time you read this.
21.8 CRYPTOGRAPHIC SECURITY TOOLS
Most of the UNIX protocols in common use date from a time before the deployment of the Internet and before the invention of modern cryptography. Security was simply not a factor in the design of many protocols; in others, security concerns were waved away with the transmission of a plaintext password or with a vague check to see if packets originated from a trusted host or port.
These protocols now find themselves operating in the shark-infested waters of large corporate LANs and the Internet, where, it must be assumed, all traffic is open to inspection. Not only that, but there is little to prevent anyone from actively interfering in network conversations. How can you be sure who you’re really talking to?
Cryptography provides a solution to many of these problems. It has been possible for a long time to scramble messages so that an eavesdropper cannot decipher them, but this is just the beginning of the wonders of cryptography. Developments such as public key cryptography and secure hashing have allowed the design of cryptosystems that meet almost any conceivable need.11
Unfortunately, these mathematical developments have largely failed to translate into secure, usable software that is widely embraced and understood. The developers of cryptographic software systems tend to be very interested in provable correctness and absolute security and not so interested in whether a system makes practical sense for the real world. Most current software tends to be rather overengineered, and it’s perhaps not surprising that users run away screaming when given half a chance. Today, the cryptography-using population consists largely of hobbyists interested in cryptography, black-helicopter conspiracy theorists, and those who have no choice because of administrative policy.
We may or may not see a saner approach to cryptography developing over the next few years. In the meantime, the following sections discuss some current offerings.
Kerberos: a unified approach to network security
The Kerberos system, designed at MIT, attempts to address some of the issues of network security in a consistent and extensible