Radmind/Printable version
This is the print version of Radmind You won't see this message or any elements not part of the book's content when you print or preview this page. |
The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Radmind
Tripwire
The open source tool called Tripwire is a host-based intrusion detection system. It is not so much concerned with detecting intrusion attempts at the periphery of a computing system (as in Network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation.
Intruders usually leave traces of their activities (change system state). Tripwire looks for these by monitoring key attributes of files that should not change, including binary signature, size, expected change of size, etc. - and reporting its findings. While useful for intrusion detection it can also be used for many other purposes such as integrity assurance, change management, policy compliance, and more.
Many techniques used for host-based intrusion detection were entirely or in part pioneered by Tripwire. In many senses recent efforts at managing security on computers, such as the Trusted Computing Group Trusted Platform Module are extensions of these ideas and techniques wrapped up in a piece of silicon that runs external to the CPU and is thus harder to crack.
Radmind goes beyond the general Tripwire by allowing you to reverse changes instead of only notifying the administrator. To fail tripwire means that something changed without the administrator's knowledge.
ktcheck
NAME
ktcheck - verify and download command file and transcripts
SYNOPSIS
ktcheck [-inrV] [ -q | -v ] [ -c checksum ] [ -K command-file ] [ -h host ] [ -p port ] [ -w auth-level ] [ -x ca-pem-file ] [ -y cert- pem-file ] [ -z private-key-file ]
DESCRIPTION
ktcheck verifies a client's command file with the radmind server host. The command file is downloaded from host if it is missing or has the wrong size. With the -c option, checksums are also used to verify files.
Reading the command file line-by-line, ktcheck verifies each command file and transcript listed, downloading it from host if it is missing or out of date. ktcheck ignores blank lines and comments ( lines start- ing with '#' ). Included command files are read are verified using the same method.
Each special file listed in the command file is converted into a tran- script line in special.T with information provided by host. See rad- mind(8) for details of the STAT command.
If checksumming is turned on, the special transcript is verified using the checksum and file size. If either are wrong, the special tran- script is updated. If checksumming is turned off, the special tran- script is always updated.
Files updated by ktcheck must be regular files and the user must have access to modify them.
When run with the -n option, ktcheck verifies but never downloads the command files or transcripts. A tempory special.T is created for veri- fication and is removed on exit.
OPTIONS
-c checksum enables checksumming.
-i force output line buffering.
-h host specifies the radmind server, by default radmind.
-K command specifies a command file, by default /var/rad- mind/client/command.K.
-n no files modified.
-p port specifies a port, by default 6662.
-q suppress all messages.
-r use random seed file $RANDFILE if that environment variable is set, $HOME/.rnd otherwise. See RAND_load_file(3o).
-V displays the version of ktcheck, a list of sup- ported checksumming algorithms in descending order of preference and then exits.
-v displays communication with the radmind server.
-w auth-level TLS authorization level, by default 0. 0 = no TLS, 1 = server verification, 2 = server and client veri- fication.
-x ca-pem-file Certificate authority's public certificate, by default /var/radmind/cert/ca.pem.
-y cert-pem-file Client's public certificate, by default /var/rad- mind/cert/cert.pem.
-z private-key-file Client's private key, by default /var/rad- mind/cert/cert.pem.
FILES
/var/radmind/client/command.K name of the default command file.
special.T name of the special transcript.
EXIT STATUS
The following exit values are returned:
0 No differences were found.
1 Differences were found.
>1 An error occurred.
SEE ALSO
fsdiff(1), lapply(1), lcksum(1), lcreate(1), lfdiff(1), lmerge(1), twhich(1), radmind(8), RAND_load_file(3o).
Radmind Assistant
The Radmind Assistant is a GUI app for Mac OS X.
As of Sept. 2, 2005, here is what is required to get the standard scripts installed with the Radmind Assistant 0.9.6 running under 10.4.x with iHook installed;
1. Issue the command;
sudo defaults write com.apple.loginwindow LogoutHook /etc/logout.hook
to create a link to the iHook logout hook - and if you want login by a 'radmind' local user to trigger a full RADMIND issue the command;
sudo defaults write com.apple.loginwindow LoginHook /etc/login.hook
to create the required links to the iHook login hook.
2. The /etc/radmind.defaults file currently supplied with Radmind Assistant 0.9.6 has 3 bugs...
a) Delete the last line that reads;
'exit 0'
b) Remove the 'switches' from the variables TLSLEVEL and SERVER;
To do this, go to the section labelled "radmind-specific defaults" in /etc/radmind.defaults
Edit the file at this point to read as follows for the first two variables;
TLSLEVEL="`defaults read $ra_domain tlslevel 2>/dev/null || echo ${TLSLEVEL} | awk '{ print $2 }'`"
previously;
TLSLEVEL="-w `defaults read $ra_domain tlslevel 2>/dev/null || echo ${TLSLEVEL} | awk '{ print $2 }'`"
and;
SERVER="`defaults read $ra_domain radmindhost 2>/dev/null || echo ${SERVER} | awk '{ print $2 }'`"
previously;
SERVER="-h `defaults read $ra_domain radmindhost 2>/dev/null || echo ${SERVER} | awk '{ print $2 }'`"
Several users have been confused by the comments at the head of the radmind.defaults file that refers to the fact that any edits to this file don't work if you are using the Radmind Assistant unless some 'defaults' setting is changed'. I don't think there has been full information provided on exactly what this means, especially as it doesn't seem to preclude things working.
Also - I originally tried getting things to work by changing the other references at the head of the file from AUTHLEVEL to TLSLEVEL, but in the end I changed them back again and it still worked.