11.4. Security Tools
final group of tools that should not be overlooked is security tools.
Security, of course, is an essential part of systems management.
While this isn't a book on network security, security is so
broad a topic that there is considerable overlap with it and the
issues addressed in this book. Strictly speaking, a number of the
tools described in this book (such as portscan
, and tcpwrappers)
frequently described as security tools.
Basically, any tool that provides
information about a network has both security implications and
management potential. So don't overlook the tools in your
security toolbox when addressing other networking problems. For
example, security scanners like satan
, and iss
can tell you
a lot about how your system is configured.
One particularly useful
group of tools is system integrity checkers. This class of programs
tracks the state of your system and allows you to determine what is
changing -- such as files, permissions, timestamps. While the
security implications should be obvious, management and
troubleshooting implications should also be clear. Often described as
tools to identify files that intruders have changed, they can be used
to identify files that have been changed or corrupted for any reason.
For example, they can be used to determine exactly what is changed
when you install a new program.
The best known of these is tripwire
. It is a
considerable stretch to call tripwire
networking tool, but it is an administrative tool that can make
managing a system, whether networked or not, much easier.
originally written by Eugene Spafford and Gene Kim. It is another
product that has evolved into a commercial product. It is now
marketed by Tripwire, Inc. The original free version is still
available at the company's web site as the Academic Source
Release. The current version, in a slightly modified form, is also
available for free download for Linux. The current version is much
easier to use, but the older version is usable if you are willing to
take the time to learn it.
creates a database of information
about files on the system including cryptographic checksums. A
configuration file is used to determine what information is collected
and for which files it is collected. If security is a concern, the
collected information should be stored offline to prevent tampering.
As a security tool,
is used to identify any changes that
have been made to a compromised host. It doesn't prevent an
attack, but it shows the scope to the attack and changes to the
system. As a troubleshooting tool, it can be used to track any
changes to a system, regardless of the cause -- hacker, virus, or
bit rot. It can also be used to verify the integrity of transferred
files or the consistency of configurations for multiple
If all you want is a checksum, you might
consider just using the siggen
comes with tripwire
will generate a number of checksums for a file. Here is an example:
bsd2# siggen siggen
sig0: nullsig : 0
sig1: md5 : 0EpNJLBbf7JJgh1yUdAPgZ
sig2: snefru : 25I3DS:thJ3N:16UchVdNR
sig3: crc32 : 0jeUpK
sig4: crc16 : 00056o
sig5: md4 : 02x6dNiYw7GwjSssW7IeLW
sig6: md2 : 30s7ugrC1gLhk129Zo1BXW
sig7: sha : EWed2qYLHGcK.i7P7bVDO2mtKvr
sig8: haval : 1cqs7t9CwipMcuWPM3eRF1
sig9: nullsig : 0
You can use an optional argument to limit which checksums you want.
For example, the option -13
will calculate just
the first and third checksums, the MD5 digest and the 32-bit CRC
I certainly wouldn't recommend
that you install tripwire
troubleshooting. But if you have installed it as a security tool,
something I would strongly recommend, then don't forget that
you can use it for these other purposes. Incidentally, with some
systems, such as OpenBSD, integrity checking is an integral part of
|11.3. NTP||11.5. Microsoft Windows|