sarnoldJavier Fernández-Sanguino is a debian developer, authors the Securing Debian manual, contributes to many open source security projects including nessus and bastille, and is currently the main developer of the tiger security tool
sarnoldhe currently works for Germinus, a spanish professional IT services company
sarnoldwhile jfs is putting some slides online, I'd like to remind you that the program can be found here: http://umeet.uninet.edu/umeet2002/english/prog.eng.html
sarnoldand that questions and comments should be directed to #qc ; hopefully someone will be translating to spanish in #Redes
sarnoldso please welcome jfs :)
sarnold(oh yeah, this is his third year presenting for umeet! :)
MJesusprobably jfs are busy ... a moment, please!
jfsI wished my DSL line was faster ....
jfs:o
sarnold(there is never enough bandwidth.. :)
jfsOk.
jfsLet's start
jfsFirst of all welcome everybody.
jfsI'm setting up the slides at http://www.dat.etsit.upm.es/~jfs/debian/doc/tiger-hids/
jfs(don't try it just yet, it will give you a 404)
jfsI'm going to give a presentation on Tiger
jfsThere might be some of you who know about Tiger already
jfsAlas, it's an old tool.
jfs:)
jfsThe presentation available at http://www.dat.etsit.upm.es/~jfs/debian/doc/tiger-hids/html/
jfscovers much more than I will probably have time to go through.
jfsI will try to use it as a guideline but I will not follow it completely.
jfsBTW, the PDF version is _much_ better. So go ahead and download it at http://www.dat.etsit.upm.es/~jfs/debian/doc/tiger-hids/tiger-hids.pdf
jfsFirst of all. Why do I want to talk about Tiger?
jfsSome people might say that Tiger is an old tool, it's obsolete and doesn't do much anymore.
jfs(I've heard this myself)
jfsThe point in talking about Tiger is to present the new version of the tool to a broader audience.
jfsWhy? Because it's one of the few multiplatform, modular, and _free_ security audit tools
jfsAnd because it's one of the few multiplatform, modular and _free_ intrusion detecion tools
jfsLet's first talk about Intrusion Detection, which I'll call ID for short
jfs(BTW I moved the spanish presentation, out-dated to html-es and the english slides are now at http://www.dat.etsit.upm.es/~jfs/debian/doc/tiger-hids/html/)
jfs(sorry)
jfsIntrusion detection is described as the art of detecting inappropriate, incorrect, or anomalous activity. (from the SANS FAQ)
jfsThere are many issues surrounding intrusion detection. Mainly, that it's not really that easy to determine precisely what is "inappropriate, incorrect, or anomalous activity"
jfsWhy?
jfsBecause what is inappropiate to a given organisation might not be to a different one.
jfsThus, there is no sense in having an intrusion detection system (whatever it is)
jfsif you do not have a security policy.
jfsI will not talk about security policies, that's a rather lengthy subject and not the subject of the presentation.
jfsBut everyone must understand that without a security policy, even if you have the greatest security tool ono earth, you won't do anything useful.
jfs_However_
jfsSome people might say: "hey, I don't have a security policy but I do have an ID tool and it works!"
jfsYes, that's correct. But only because there are some common things that most will interpret as a security policy violation.
jfsFor example, a DoS attack against a server, an attempt to brute-force passwords in a server, whatever..
jfsNow ID detection can be done in many ways, depending on _where_ it is done
jfsI guess that many people are aware that you can do ID by analysing the packets that are exchanged in a network.
jfsIf you "see" a suspicious packet you might think it's an attack and report it.
jfsThat's network-based intrusion, and that's Snort does (to cite the best known free software tool in this area)
jfsHowever, network-based intrusion has many issues: it's not able to analyse encrypted packets (IPsec, SSL, or similar), it it's basicly pattern/signature-based (there are some attempts at developing new types however), and network ID sensors can simply be overloaded in very high speed networks.
jfsIt can also only detect suspicious activity which involves network comunication. It cannot attack attempts from an operator in the console.
jfsAnd that's where host intrusion detection steps in: intrusion done _in_ the host
jfsBTW, for all of those that want to ask questions, feel free to do any of them along the presentation using the #qc channel.
jfs(please start the questions with 'jfs:' so I can catch them up easily)
jfsSo tiger tries to help doing HID, it tries to analyse the host and determine what can be suspicious there
jfsBut, that's wasn't what Tiger was developed for really.
jfsTiger was developed as a set of security scripts that would test the system to determine security issues.
jfsAnd that's the primary thing that Tiger does: a security audit of any given host
jfs(it doesn't necessarily have to be the one you are running it in)
jfsSo, what's a security audit really?
jfsFrom the RFC2828:
jfs(I) An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
jfsIf you run Tiger it will try to analyse the system and determine deviations for the security policy.
jfsOf course, you all have a security policy by now, don't you? :)
jfsIf you don't Tiger is still useful
jfssince, like any other ID, it will attempt to detect issues that are indication of a security issue regardless of your policy
jfsAny questions up to here?
jfs<tarzeau> jfs: can you give examples
jfsSure I can!
jfsA real word example:
jfsSecurity policy: "users are not allowed to run daemons providing services in the department machines"
jfs(that is, no game servers, no rogue apache servers, etc...)
jfsYou could of course remove the tools that user's can use to do this
jfsEven implement access control/capabilities that would prevent this from being possible
jfsbut if you can't (for whatever reason) then you have to _trust_ your users will do what you ask them to
jfsand you have no reason to distrust your users right? ;)
jfsWell, a  user  X might be running program Y and is providing a game server for all the Internet to use
jfsA security audit should detect this as a deviation from the security policy
jfs(this in fact is not that uncommon, specially in some university environments)
jfsAny more questions?
jfsOk.. (I hope the audience is not all asleep :)
jfsback to tiger
MJesushummm no  !!
jfsThe approach taken in Tiger is useful to provide both a security audit tool _and_ an intrusion detection tool
jfsanother question: <amd> what if user runs malicious programs with the help of cron?
jfsthat can be also detected in two ways:
jfs1.- the user needs to make a cron entry and it can be looked for
jfs2.- the user needs to be granted permission to run cronjobs (which might not be what the policy says)
jfsThe security issue is not wether or not the program is run, but wether or not the system has been changed to run it
jfsso you can detect it when it's being run or before/after being run because the sytem has been configured to do so
jfsBack to the presentation
jfsThe point is, intrusion detection and security audits don't differ that much. You can do ID just by constantly monitoring what happens in the system and checking against your policy, you do an audit when you just do it once
jfsNow you get to decide which way you want the presentation to head to
jfs(I warned that I didn't have a strict guideline)
jfsI can talk about Tiger's history, and how I've become upstream maintainer and how the project (overall) should evolve
jfsOr I can talk about Tiger's (current) design and architecture, how to write modules, drawbacks, etc..
jfsPlease (those not asleep): let's make a quick poll at #qc (answers can be 'evolution' or 'design')
jfs(I'm going to give a minute for all to answer the poll, also for the translators)
jfs(it's tied for the moment :)
jfsok
jfspoll ended
jfslet me count the votes :)
jfsok, evolution 7, design 9 (if I counted correctly). That means there are over 120 people sleeping :)
jfsI'm going to go for the desing stuff first, and then go and talk about Tiger's evolution
jfs(just so everybody is happy)
jfsOk. I said Tiger is multip-plaform, modular and _free_
jfsOf course the free is because it is provided under a GPL license
jfsSo anyone can use it (for whatever purpose) as long as source is provided, patches are contributed, etc. You know the drill.
jfsIt's multiplatform because Tiger is not dependant on any special tool.
jfsIt's coded in plain shell (surprise!) using other POSIX tools
jfsso it should run in pretty much every flavor of UNIX available
jfs(and even in Windows, if you install the POSIX utilities, but haven't tested it)
jfsSo, it's plain SH + AWK + SED + other UNIX tools
jfsYou can browse the CVS sources to confirm this: http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/
jfsThere are just a few tools that need to be compiled in the system that is going to be run
jfs(those are written in C)
jfshttp://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/c/
jfsThat's what makes it multiplatform
jfsBelive me, even installing perl on some platforms might be a pain.
jfsand it's modular because every security test is written in it's own module
jfsThere are two ways to run any given module, either run it through 'tiger' (which will run all the configured modules), or run it independently
jfsThe intrusion detection function is, in fact, obtained by running some of the modules at specified time intervals and comparing the results between runs
jfsThe nice thing about this modularity is that it's pretty simple to take a given module you want and run it without needing all the other Tiger stuff
jfsYou just need to have the configuration files that make Tiger aware of what tools (or configuration files) are available in your system and how they need to be called
jfsThat's why you will see in the Tiger sources the following structure:
jfssystems/
jfs|-- AIX
jfs|   |-- 3
jfs|   |-- 4
jfs|-- HPUX
jfs|-- IRIX
jfs|   |-- 4
jfs|   |-- 5
jfs|   |-- 6
jfs|-- Linux
jfs|   |-- 0
jfs|   |-- 1
jfs|   |-- 2
jfs|-- SunOS
jfs|   |-- 4
jfs|   |-- 5
jfs....
jfsthose are the specific configuration files for each system Tiger knows of
jfswell, they are located in those directories. So files for Solaris 8 (SunOS 5.8) are provided undersystems/SunOS/5/
jfs(sorry) under systems/SunOS/5/
jfsTiger is designed in such a way that it will determine which OS you are running (operating system, revision, and architecture)
jfsand will use the configuration files available under $OS/$REV/$ARCH, or $OS/$REV/ or $OS or the general ones (if none is available)
jfsThese configuration files are the one that tell Tiger where SED, AWK, LS, HEAD, CAT... are located
jfs(since the location of these tools vary amongst different UNIX systems, as do the commnad line arguments, the location of configuration files, etc...)
jfsso, each module first configures itself (. $basedir/config and $BASEDIR/initdefs) and then determines if it has all the tools it needs
jfsSample (check_rhosts): haveallcmds AWK CAT EXPR GEN_PASSWD_SETS JOIN LS RM SED || exit 1
jfsThe module then calls $AWK (and not '/usr/bin/awk' or '/bin/awk') which must be properly configured
jfsHow are the modules run?
jfsAs I said previously:
jfs- through a cron job
jfs(tigercron, to attempt to do intrusion detection)
jfs- or through the main tool: 'tiger'
jfswhich will run all the modules defined in the the 'tigerrc' configuration file
jfs(this configuration file also hols some configuration which can be used to adjust the behaviour of some modules)
jfsHow do I implement my security policy in Tiger?
jfs- determine which modules are appropiate and enable them
jfs- configure the modules properly (they might have some variables which change the behaviour, sample: users that will not be checked since they are considered 'administrative' users)
jfs- create your own modules (for things Tiger does not do)
jfsSome modules cannot be tweaked to not report things they consider a security issue. And that's where the baseline reports come in.
jfsYou can run tiger and read the report. It might say you have some security issues you don't consider such.
jfsYou take those security warnings and add them to a baseline (a file per module)
jfsNext time the security check (through the module) is run, those warnings will _not_ show up.  
jfsThat's what util/difflogs does (when called by tigercron)
jfsAny questions up to here?
jfsAnyone=
jfsAnyone?
jfs<sarnold> jfs: what prevents an intruder from just updating the baseline file to prevent checks from being run?
jfsfirst off, changing the baseline will not prevent checks from being run
jfschanging the cron server will
jfschanging the baseline might prevent tiger from reporting some security issues when it's run
jfsI will get (at the end of the presentation) to some of the pros/cons of Tiger and you might understand it further then.
jfsThe main problem is: ID in user-level space (not kernel level) can be tampered with. The only protection is the system's protection (permissions, MAC, etc..)
jfsAnother question: <amd> how to the tiger reports look like?
jfsAnswere: you have two flavors: plain text report and HTML report
jfsthe plain text is not very nice:
jfs(sample)
jfsSecurity scripts *** 2.2.4-20, 2002.0903.1138 ***
jfssáb abr 20 11:21:53 CEST 2002
jfs11:21> Beginning security report for jfernandezp.germinus.com (i686 Linux 2.4.17-686).
jfs# Performing check of passwd files...
jfs--WARN-- [pass006w] Integrity of password files questionable (pwck -r).
jfs--WARN-- [pass007w] Password control PASS_MIN_LEN missing from
jfs         /etc/login.defs.
jfs# Performing check of group files...
jfs(...)
jfsThere are errors (ERR), warnings (WARN) and information notices (INFO)
jfs(BTW tarzeau posted another example at  www.linuks.mine.nu/people/amd/tiger.txt)
jfs(That's a sample of a diff report BTW, which is part of the mails sent to root for ID)
jfsany more questions on the design?
jfsEven if you have not understood the design completely I recommend you to download/browse the CVS sources.
jfs(let's give some time for the translators in case people following the translated channels want to make questions too)
jfs<tarzeau> jfs: have you tried tiger on the Hurd too yet? or on some bsd's?
jfs<tarzeau> i've tried it on solaris, works there nice as well
jfsSimple question: I have not tried it on the Hurd or on some BSDs.
jfsThat's on my TODO list.
jfsAs you will see further on I would like Tiger to be used more by both Linux distributions and BSD distributions.
jfsIn any case, testing on other platforms (besides Linux) has helped weed out some programming mistakes that were hidden in the code.
jfsAnd I do appreciate people testing the tool in whatever Unix system they want to test in.
jfs(just make sure you are using the latest version since some people have tested 2.2.4 which is not really in proper shape)
jfsI will keep on talking about the evolution of Tiger
jfs(if people don't mind me talking this much :
jfs:)
jfsOk. Some history first
jfsTiger started as a set of security scripts to scan a system looking for security issues
jfsit was started in  1993 by Douglas Lee Schales, David K. Hess, David R. Safford
jfsat the CIS network group of the Texas A&M university
jfs(that's why it's part of the TAMU security tools: TAMU = Texas A&M University)
jfshttp://www.net.tamu.edu/network/tools/tiger.html
jfsit was written around the same time that Cops, SATAN and ISS were
jfs(IIRC)
jfsit was maintained for quite some time by the people at TAMU
jfsbut, eventually, and after 2.2.4 was released (around 1994)
jfswork on Tiger was reduced to update the signature set
jfsthe people at Advanced Research Corporation (arc)
jfsforked a version of Tiger which they called TARA (http://www-arc.com/tara/)
jfsWhich they are still updating (I looked today and they have published a 3.0.3 version, based, I think, on the Tiger 3.0 release)
jfsI started working with Tiger slightly over a year ago
jfsI was looking for a host-based IDS tool for Debian, but didn't find much (besides the file integrity and logcheckers already available)
jfsso, I packaged tiger-2.2.4 on august 2001 and sent it to Debian's upload queue
jfsBesides fixing bugs, I added some (debian-specific) checks
jfsSince it was getting popular (in Debian) I did get a number of  bug reports, and made more than 17 patch releases until december
jfsThen I thought it would be nice to integrate Tara's work into Debian's tiger
jfsand I did
jfsAnd then, Bryan Gartner (from HP) sent a mail to the TAMU team, ARSC and me asking if we could all merge (he had also done some work on Tiger)
jfsSo, after some integration and testing I released 2.2.4p2-1 which was the Debian package that provided (most of) the TARA changes as well as Bryan's
jfsthis was done april this year
jfsSince it was obvious that there were different people interested and we could all work in a common codebase I tried to create a place were the Tiger could evolve
jfsI selected savannah: http://savannah.nongnu.org/projects/tiger/
jfsAnd, after some more integration, I released (in june) the 3.0 version
jfswhich integrated all the forks and provided a common source code base with which to start working
jfsSo far, the mailing lists (developer's and user's) are not very active but some users have reported their attempts at using Tiger in HP-UX, Solaris and Compaq Tru64
jfsAnd I've mainly done bug fixes for 3.1 (release the day before my birthday)
jfsWhere do I want tiger to get to?
jfsI want Tiger to be able to check all the stuff that Bastille tries to fix (since Bastille cannot audit the local system)
jfsAnd I want to update all the signatures (and systems) which are rather out of date (I recently updated HP-UX and have yet to update Solaris)
jfsI didn't comment on signatures BTW
jfsSignatures are MD5 hashes stored on Tiger which are taken from out-of-the-box OS (installed or patched)
jfsTiger will try to check if there is a trojan in the system based on this signatures. This is not exactly file integrity testing (what tripwire, aide, integrit, et al do) but similar.
jfsOnce this is done I intend to fix some of the design issues of Tiger (cron/mail dependence) which can be exploited to attack when running in host-IDS mode
jfs(providing a daemon and a modular way to send IDS alerts, which should be able to use mail/snmp/syslog...)
jfsYou can see some of this pending tasks at http://savannah.nongnu.org/pm/?group=tiger
jfsso if you feel like helping. Step up!
jfsOf course, there is a tiger-users mailing list and a tiger-developers mailing list
jfshttp://savannah.nongnu.org/mail/?group=tiger
jfsIf you are using tiger, or think you can help improve it _please_ suscribe to them. There are really low-volume (at the moment) and are the best way to ask questions on tiger (since both ARSC's team, HP's team and me are suscribed)
jfsLet me do some final remarks then
jfsI could title this Pros/Cons on using Tiger
jfsPros:
jfsthe modular design allows anyone to add his own modules (it's fairly easy) and modify Tiger to it's needs
jfsthe multi-platform design allows Tiger to be used as a single tool for HID in a heterogeneous environment
jfsThis doesn't mean it's the silver bullet, and you'll want to add more things to your HID solution (more on this later)
jfsthe fact that it's GPLd (and thus free) permits you to look at the code and _learn_ about how security checks can be implemented
jfsYou can also sell an IT service based on Tiger (that's what ARSC does BTW)
jfsAnd that's great!
jfs(as long as you contribute your fixes/patches to the common codebase)
jfsNow, Cons:
jfs- the fact that it runs in 'user space' makes it susceptible to attacks
jfs(it depends on cron to run as an HID, it depends on mail to report, files are used to determine the baseline, etc...)
jfs- Tiger does not yet offer a complete HID solution, it has not been maintainer for a while and there's a lot of stuff it could do in the HID area that it simply does not do yet (integrity checking, log analysis, etc..)
jfs- Also, because it's a user space tool it can be "fooled" if the server is compromised (think of rootkits)
jfsHowever, i forgot of one Pro:
jfssince it's not system-dependant, there are some security checks which can be done offline (through a filesystem shared over the network) in a host that is not the one that's being audited
jfsTiger could be improved in many areas (and people need to volunteer to help in these).
jfsFor example, proper integration with other available HID open source tools (such as tripwire, integrit, aide, and samhain) would be great.
jfsAs would be integration with log-analysis tools (logcheck, log-analyss and snorter)
jfsIn any case, if you are very paranoid, you might be interested in HID solutions which are kernel-based (and thus are not multi-platform)
jfssuch as LIDS or Snare
jfs(for Linux)
jfsor systrace (for BSD and now linux also)
jfsNow. That's finishes what I wanted to talk about in this presentation
jfsAny question on the subject can be sent now :)
fernand0plas plas plas plas plas plas plas plas plas plas
MJesusclap clap clap clap clap clap clap clap clap clap
Aradorpals pals plas pla splas
MJesusclap clap clap clap clap clap clap clap clap clap
MJesusclap clap clap clap clap clap clap clap clap clap
fernand0plas plas plas plas plas plas plas plas plas plas
fernand0plas plas plas plas plas plas plas plas plas plas
MJesusclap clap clap clap clap clap clap clap clap clap
sarnoldthanks jfs :) thanks also arador and ricardo for translating :)
MJesusclap clap clap clap clap clap clap clap clap clap
MJesusclap clap clap clap clap clap clap clap clap clap
MJesusclap clap clap clap clap clap clap clap clap clap
bartclap
sarnoldclap clap clap clap clap :)
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
Aradorplas plas plas plas plas plas plas plas plas plas plas
sarnoldclap clap clap clap clap :)
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
Aradorplas plas plas plas plas plas plas plas plas plas plas
sarnoldclap clap clap clap clap :)
Aradorplas plas plas plas plas plas plas plas plas plas plas
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
sarnoldclap clap clap clap clap :)
Aradorplas plas plas plas plas plas plas plas plas plas plas
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
Aradorplas plas plas plas plas plas plas plas plas plas plas
bartclap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
MJesusclap clap clap clap clap clap clap clap clap clap
ismakplas plas plas plas plas plas plas plas plas plas
MJesusbravo bravo bravo
ismakplas plas plas plas plas plas plas plas plas plas
ismakplas plas plas plas plas plas plas plas plas plas
ismakplas plas plas plas plas plas plas plas plas plas
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
psypeteclap
MJesusbravo bravo bravo
fernand0plas plas plas plas plas plas plas plas plas plas
MJesusbravo bravo bravo
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
amdclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
amdclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
ismakclap clap clap clap clap clap clap clap clap clap clap clapclap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
LovechildCLAP CLAP CLAP !!!
ismakclap clap clap clap clap clap clap clap clap clap clap clap
jose_nplas plas plas plas  plasplas 100x
Arador(silbidos)
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap
MJesusbravo bravo bravo
raulclap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
MJesusbravo bravo bravo
MJesusbravo bravo bravo
psypeteclap
sarnoldjfs: thanks :)
jfssarnold: you are welcome :)
amdnice ;)
horaciobravo ! !
jose_njfs++
horacioclap clap clap clap clap
horacioclap clap clap clap clap
horacioclap clap clap clap clap
horacioclap clap clap clap clap
bartjfs: happy hacking
AAABravo bravo bravo
AAABravo bravo bravo
AAABravo bravo bravo
AAABravo bravo bravo
jfsbart: I was on it during the conference :)
Ducky_Phahi xtingray
Ducky_Phahow are you
bartjfs: and nice work, thx

Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!