Академический Документы
Профессиональный Документы
Культура Документы
1. Introduction
Digital forensics is the use of specialized technology for recovery, authentication, and
analysis of electronic data when a case involves issues relating to reconstruction of computer
usages, examination of residual data, authentication of data by technical analysis or explanation
of technical features of data and computer usage [2]. The field of digital forensics is a
constantly evolving field as new technologies are developed every day. One such new
technology is wireless networking. The use of wireless networking has exploded since the late
1990s.
According to a recent study by Pew Internet & American Life, 34% of all internet users
have logged on with a wireless internet connection either at home, at work, or someplace else
[7]. When Internet users were asked, Do you ever log onto the internet using a wireless
device? in February 2004, 22% gave a positive response. These percentages clearly show a
growth in the use of wireless networking [7]. In 2005, more than 10 million homes in the United
States had a wireless Internet connection [17]. As with any technology in widespread use,
wireless networking has been misused in illegal ways and many crimes have been committed
within the boundaries of a wireless network [22]. Much research is needed in the field of digital
forensics, especially in the area of electronic evidence collection in wireless networks.
Electronic evidence must be treated like any other type of evidence. The collection of
electronic evidence must follow the standards of admissible evidence. These standards are based
on the Federal Rules of Evidence (FRE), which are the rules that govern the admissibility of
evidence in the United States federal court system [3]. There are several steps to follow in digital
forensics to ensure that evidence is not destroyed or compromised. These steps are taken from
[12]. First, acquire the evidence without altering or damaging the original. Second, authenticate
that your recovered evidence is the same as the originally seized data. And third, analyze the data
without modifying it. If these steps are not taken, the original electronic evidence can be
destroyed or altered and as a result may not hold up in a court of law.
This paper concentrates on the first step, which is to acquire the evidence without altering
or damaging the original. This first step can be difficult when the evidence is located within a
wireless environment. This difficultly arises because there are no clear boundaries that define the
wireless network. Unlike a wired network, there are no physical connections between the
wireless router and the wireless devices. The devices communicate via radio waves. The area of
possible communication can often be larger than intended. This becomes a problem when the
area of interest in an investigation does not encapsulate the entire area covered by the wireless
network or when the presence of a wireless device is not apparent to the investigator.
Devices in the wireless network can communicate with other devices until they are
disconnected from the network or shut down. Such communication after the area is secured can
violate the first step of evidence collection: acquire the evidence without altering or damaging
the original. For example, an individual with a laptop enabled with a wireless interface could be
in the next room but still within range of the wireless network. They could then access the
devices located within the area of interest and alter evidence or even remove the evidence
entirely. This can occur after the area is seized but before the devices are made unavailable. This
after-seizure communication jeopardizes the evidence and must not be allowed.
Therefore, digital forensic investigators must have the ability to disrupt the wireless
network immediately upon discovery. One possible way to accomplish this would be to enact a
denial of service. A denial of service is any action, or series of actions, that prevents any part of
a system, or its resources, from functioning in accordance with its intended purpose [6]. Denial
of service is the absence of availability. Denial of service is traditionally an attack method used
by inexperienced hackers called script kiddies. A script kiddie uses attack tools developed by
others to launch large-scale attacks on victims [14]. These attacks have been very damaging and
expensive to victims. In February 2000, Yahoo, Amazon, eBay, and many other online
businesses were attacked via a denial of service causing tens of millions of dollars in damage
[16]. Although denial of service has traditionally been viewed as an attack mechanism, it has
been suggested by Slay and Turnbull that it could be used by law enforcement to disable wireless
networks during forensic investigations [23].
Slay and Turnbull raise the question in their paper, Wireless Forensic Analysis Tools for
Use in the Electronic Evidence Collection Process, of the forensic soundness of enacting a denial
of service during an investigation. They state their argument relates back to the fundamental
forensic principles of McKemmishs second rule of Forensic Computing: Account for any
change [23]. It is possible that the form of denial of service that manipulates network protocols
by inserting active data into the network could affect the electronic evidence. To the authors
knowledge, it has not been proven otherwise. Slay and Turnbull state that the intent (of
initiating a denial of service) should be analyzed, and the potential effects of utilizing and not
utilizing the mechanism should be evaluated [23]. The potential effects of utilizing an active
form of denial of service on a wireless network is investigated in this paper.
The remainder of this paper is organized as follows. Section 2 provides background
information on wireless networks and denial of service attacks. Section 3 describes the
experiment setup and documents the steps taken to set up the wireless network and the denial of
service attacks. Section 4 documents the results of the experiment. Section 5 provides a
conclusion followed by the references.
2. Background
The following section provides a brief background of relevant information concerning
wireless networks and denial of service attacks.
2.1 What is a WLAN?
A wireless LAN, or WLAN, is a local area network that does not require wired Ethernet
connections. Devices in a WLAN communicate via technology based on radio waves [20].
802.11 is the standard by which wireless networking operates. The IEEE working group 11 of
the IEEE LAN/MAN Standards Committee developed the IEEE 802.11 standard. The 802.11
standard is an evolving family of specifications for wireless LAN technology [5].
2.1.1 WLAN Configurations
The 802.11 standard describes two network configurations. In an infrastructure network,
stations are based around an access point. The access point provides communication with the
wired network by serving as a wireless-to-wired bridge [5]. The access point also mediates all
wireless traffic in the network. In an infrastructure network, stations must associate with an
access point to join the network. The access point broadcasts its SSID (Service Set Identifier) to
the stations. This is how the stations become aware of the wireless network. The stations always
initiate the association process and can only be associated with one access point at a time. The
access point uses the contents of an association packet from the requesting station to make the
decision to grant or deny access to the network. In an ad hoc network, stations communicate
directly with each other without the use of an access point [5]. Figure 2.1 provides an illustration
of an ad hoc network and an infrastructure-based network. The dotted lines connecting the
stations in the left-hand side of the diagram and the dotted lines connecting the stations with the
access point in the right-hand side of the diagram represent the wireless medium. The stations
can be any type of device that has a wireless network interface, not necessarily just a laptop or
desktop computer as Figure 2.1 illustrates. An infrastructure-based network was used for this
experiment.
Ad Hoc Network
Infrastructure Network
The 802.11 specifications concentrate on the two lowest layers of the OSI model: the data
link layer and the physical layer. The data link layer in 802.11 protocols is split into two
sublayers: the MAC sublayer and the LLC sublayer. The MAC (Medium Access Control)
sublayer is a set of rules that determine how to send data and how to access the wireless medium.
Located directly above the MAC sublayer is the LLC (Logical Link Control) sublayer. The LLC
sublayer handles making the various 802 standards indistinguishable to the network layer. The
LLC sublayer takes care of error control, framing, and MAC-sublayer addressing [4].
The physical layer of the OSI model is concerned with transmitting raw bits over a
communication channel. In the case of 802.11, the communication channel is based on radio
waves. The 802.11 standard includes five transmission techniques:
1. Infrared
2. FHSS or Frequency Hopping Spread Spectrum
3. DSSS or Direct Sequence Spread Spectrum
4. OFDM or Orthogonal Frequency Division Multiplexing
5. HR-DSS or High Rate Direct Sequence Spread Spectrum
Each of the five transmission techniques has the same goal: to transmit a MAC frame from one
station in the network to another.
The use of radio waves as a communication channel results in a complicated physical
layer. The 802.11 standard divides the physical layer into two parts: the Physical Layer
Convergence Procedure (PLCP) and the Physical Medium Dependent (PMD). The job of the
PLCP is to map the MAC frames onto the wireless medium. The job of the PMD is to transmit
those frames on the wireless medium. Figure 2.2 illustrates the division of the data link layer into
two sublayers and the various transmission techniques of the physical layer.
Flexibility
Mobility
Cost
physical cables connecting devices, wireless networks can be set up quickly. Users can set up a
temporary wireless network without having to unplug and plug wires. The many businesses that
offer hotspots do so because of this flexibility. A hotspot is simply a venue that offers wireless
Internet access. Many businesses, such as coffee shops, airports, hotels, and bookstores now
offer hotspots [9].
The mobility offered by wireless networks allows users to access the Internet from any
location. Users can now work from the neighborhood coffee shop instead of the office. This
mobility leads to increased productivity for its users. For example, a businessperson can use a
PDA to remain constantly connected to the network.
A wireless network can be much less expensive than a traditional wired network.
Wireless networking hardware has recently become comparable in price to wired networking
hardware. In addition, the savings in infrastructure, such as running cables, can also make
wireless networks less expensive. The cable installation required for a wired network can also be
expensive. Also, the infrastructure does not require pricey changes when a new device is added
as long as the device is within range [5].
The final advantage mentioned is the ease of speed and deployment of a wireless
network. The initial setup of an infrastructure-based wireless network usually only requires a
single access point. An ad-hoc-based wireless network requires no additional equipment. A
WLAN can be deployed in areas that may be off-limits to wired networks. One such example
would be a historical building protected from the modifications sometimes required of a wired
network [9]. It is because of these advantages that wireless networking has become so prevalent.
2.2 What is Denial of Service
A denial of service is any action, or series of actions, that prevents any part of a system,
or its resources, from functioning in accordance with its intended purpose [6]. Denial of service
is the absence of availability. Availability is the reliability and timely access to data and
resources by authorized individuals [6]. Availability is one of the three tenets of computer
security, the other two being confidentiality and integrity [15].
2.2.1 Categories of Denial of Service
Denial of service attacks can be categorized as either resource allocation attacks or
resource destruction attacks. A resource allocation attack consumes the resources of the victim
making legitimate use unavailable. When the resource allocation attack is halted, the resources
are made available again. A resource destruction attack exploits vulnerabilities in the protocols to
make resources unavailable. When this type of attack is halted, the resources are not immediately
available. The resource allocation attack was implemented for this experiment [18].
The advantage of a resource allocation attack is that the attack can be directed at specific
wireless networks or specific devices in the wireless network. If forensic investigators were to
use a denial of service attack, they would not want to disable neighboring networks, only the
10
network under investigation. The denial of service attack tool used for this experiment is the
802.11 frame-generating tool Void11.
3. Experimental Environment
This section begins with a description of the equipment used in the experimental
environment as well as descriptions of the Open Source software tools used throughout the
experiment. The setup of the WLAN is explained and the electronic evidence files are provided.
An explanation of the initial setup of the file integrity checker software is provided. This is
followed by a description of the denial of service attack. The section ends with checking the file
integrity checker software for any changes in the electronic evidence files.
3.1 Description of the Equipment
The equipment used in this experiment included three Gateway M4600 laptops. Each
laptop performed a specified function. Two laptops were used as victims and the other laptop
was used as the attacker. The attacker laptop and one victim laptop were installed with the
Redhat Fedora Core 5 operating system. The other victim laptop used the Microsoft Windows
XP operating system. The attacker laptop utilized the Void11 attack tool, which required the use
of the Prism chipset in the wireless card. Therefore, an SMC2532W-B EliteConnect 2.4GHZ
802.11B PCMCIA wireless card was used in the attacker laptop. The two victim laptops used the
Intel Corporation PRO/Wireless 2200BG PCI card. The access point used in the experiment was
the Buffalo Technology AirStation Turbo G High-Power Wireless Cable/DSL Smart Router.
Figure 3.1, Figure 3.2, Figure 3.3, and Figure 3.4 present the previously described equipment.
11
System:
Operating System:
Redhat Fedora
Core 5
Type:
SMC2532W-B
EliteConnect
2.4GHz 802.11b
High-Power
Wireless PC Card
Chipset:
Prism
12
Gateway M4600
Operating System:
Redhat Fedora
Core 5
Type
Intel Corporation
PRO/Wireless
2200BG PCI card
Gateway M4600
Operating System:
Microsoft
Windows XP
Professional
Version 2002
Service pack 2
Type
Intel Corporation
PRO/Wireless
2200BG PCI card
13
AFICK was used for the victim computer running Microsoft Windows XP. A denial of service
attack tool was also required for this experiment. The Open Source attack tool Void11 was
employed. The following section describes the Open Source tools in more detail.
3.2.1
Tripwire
Dr. Eugene Spafford and Gene Kim developed the original Tripwire software in 1992 at
Purdue University [10]. Gene Kim later took the research and co-founded the company Tripwire
in Portland, Oregon [21]. The Tripwire software has since evolved into a Linux Open Source
intrusion-detection system. Open Source Tripwire does not deal with detecting intrusion attempts
in real-time, but instead reports on any discrepancies observed since running Tripwire in
database initialization mode. Running Tripwire in database initialization mode is the first step in
setting up Tripwire for operation. This mode creates a database that is an exact record of the files
on the system. Tripwire later uses this record to discover any discrepancies in the system. The
database is one of the key components of Tripwire [4].
The second key component of Tripwire is the policy file. The policy file lists every file
and directory that Tripwire should monitor. The policy also contains the rules that identify
violations. The policy file determines the level at which Tripwire checks the integrity of the
system [4].
Tripwire protects its files by using two cryptographic keys: the site key and the local key.
The site key protects the policy file and the configuration file. The local key protects the
database and the discrepancy reports generated by Tripwire. Most importantly, Tripwire encrypts
and signs its own files so that it will know if it has been compromised [4]. Tripwire was used to
determine any changes in the laptop running Linux.
14
3.2.2
AFICK
AFICK (Another File Integrity Checker) is very similar to Tripwire. It was developed
after Tripwire and adopts many of Tripwires concepts. Like Tripwire, AFICK also uses a policy
file. The policy file includes any files, directories, or essential elements of the system that
AFICK should monitor. An initial database is created using the policy file as a guide. This
database is a snapshot of the system. To determine if the system has been compromised, a
compare utility is executed which compares the current state to the snapshot taken initially [1].
AFICK was used to determine any changes in the laptop running Microsoft Windows XP.
3.2.3
Void11
Void11 is an 802.11 frame-generating tool. It was initially developed for data link layer
denial-of-service resilience testing [24]. Void11 provides three possible attack modes that
generate the following 802.11 frames:
1. Deauthentication frames
2. Authentication frames
3. Association frames [25].
The default mode Void11 transmits deauthentication frames to the victim causing them to
deauthenticate from the network. The result is that all targeted victims in the wireless network
are unable to use the wireless medium. This attack is possible because management packets in
802.11 networks are not authenticated. When the deauthentication packet is received, the victim
deauthenticates without confirming the identify of the sender. This attack is often referred to as a
de-authentication or deauth attack [25]. This experiment used the deauth attack mode.
The second and third attack modes flood the access point with either authentication
packets or association packets. These packets contain media access control (MAC) addresses for
15
clients in the network. The MAC addresses are hardware addresses that uniquely identify the
clients in the network. The floods of authentication and association packets crash the access
point by filling up the buffer space that is assigned to handle and process these types of requests.
These two modes can be unreliable and were not used for this experiment [14].
Void11 includes two tools named void11_hopper and void11_penetration.
The
void11_penetration tool generates the attack frames. The void11_hopper sets the wireless card
under HostAP to hop through the 14 DSSS 802.11 channels. The void11_hopper tool was not
used. The channel was set manually using the iwconfig command. Void11 requires the use of the
Linux HostAP drivers. The HostAP drivers allow the wireless card to perform all the functions
of an access point as well as manage the IEEE 802.11 management functions [24, 25].
3.3 Setting up the WLAN
An isolated wireless network was set up for this experiment. The wireless network was
modeled on the infrastructure-based configuration. See Figure 2.1 for an illustration. The
network consisted of three laptops and an access point. The two victim laptops were connected
to the wireless network. The attacker laptop used to initiate the denial of service was not
connected to the wireless network. The attacker laptop was set up to use Void11. Void11 only
affects the 802.11b protocol, so the access point was put in 802.11b mode. All security features
for the access point were also turned off.
3.4 The Electronic Evidence
Two identical evidences files were created and placed on the two victim laptops. The
evidence files contained fake social security numbers and fake credit card information. The
contents of the evidence files are located in Table 3.1 and Table 3.2.
16
Jean-Luc Picard
William Riker
Geordi La Forge
Deanna Troi
Mr. Data
Mr. Worf
Beverly Crusher
Wesley Crusher
Miles OBrien
Keiko OBrien
Ro Laren
Mr. Spock
James T. Kirk
4. Experimental Results
The following section details the results of initiating the denial of service attacks on the
two victim laptops. Section 4.1 describes the results collected from the laptop running Microsoft
Windows XP. Section 4.2 describes the results collected from the laptop running Linux.
18
4.1
determined. The file integrity checker, AFICK, was used for this purpose. AFICK had already
been installed and initialized, so a simple compare was done. The results of this are presented in
Figure 4.1. The only four files altered were files associated with AFICK. One new file was
created in the archive directory. One file was deleted. Two files were changed, one in the archive
directory and the other in the history directory. In all, 18, 050 files were scanned. This covered
every file specified in the policy file, windows.conf. The MD5 hash was calculated to be
g9VjUWbD3I+KW6J6MHiGqQ.
Figure 4.1: AFICK: Before the Denial of Service
19
As the Void11 tool was initiated, a continuous ping was sent to the other victim
computer. A screenshot of the command prompt is presented in Figure 4.2. The figure shows that
the victim computer is connected to the wireless network as it pings the IP address 192.168.11.9.
As Void11 begins the attack, the ping command times out, and after the denial of service attack
is halted, the pings resume.
Figure 4.2: Command Prompt: During the Denial of Service
After the denial of service was initiated, the compare function for AFICK was executed.
The results of the compare are shown in Figure 4.3. The five files altered were again only files
associated with AFICK. Two new files were created in the archive directory. One file was
deleted. Two files were changed, one in the archive directory and the other in the history
directory. In all, 18,051 files were scanned. This covered every file specified in the policy file,
windows.conf. The MD5 hash was calculated to be g9VjUWbD3I+KW6J6MHiGqQ. This hash
value matched the hash value calculated before the denial of service attack.
20
4.2
determined. The file integrity checker Tripwire was used for this purpose. The details of the
steps taken can be found in Appendix A. Each command is bolded. First, the initialization
database was created. Then, the current state of the laptop was checked. Tripwire generated an
Integrity Check Report. No errors were detected. The Void11 tool was used to create the denial
of service attack. The state of the laptop was evaluated again by Tripwire. The Integrity Check
Report generated by Tripwire indicated no changes in the files specified by the policy file. The
Integrity Check Report is located in Appendix A.
21
5. Conclusions
The results of the file integrity checkers, Tripwire and AFICK, showed that the denial of
service attacks did not damage or alter the electronic evidence located on the laptops. The MD5
hash sum calculated by AFICK before and after the denial of service attack on the victim laptop
running Windows were identical. The Integrity Check Reports generated by Tripwire before and
after the denial of service attack on the Linux victim laptop also indicated no changes. Slay and
Turnbull stated in their paper Wireless Forensic Analysis Tools for Use in the Electronic
Evidence Collection Process that the intent (of initiating a denial of service) should be
analyzed, and the potential effects of utilizing and not utilizing the mechanism should be
evaluated [23]. This experiment attempted to analyze the potential effects of utilizing a denial
of service to disable a wireless network. It was shown that disabling a wireless network by
invoking a denial of service does not damage or alter the electronic evidence. Therefore, the use
of denial of service could be considered a legitimate procedure in disabling wireless networks
during forensic investigations.
22
REFERENCES
[1]
[2]
[3]
[4]
[5]
M. S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd Edition, OReilly
Media, Inc., Sebastopol, California, 2005.
[6]
[7]
J. Horrigan, Wireless Internet Access, Pew Internet & American Life Project,
http://www.pewinternet.org/, Feb. 2007, (current Mar. 1, 2007).
[8]
E. Kamau, Disabling Wireless Networks for Law Enforcement, published thesis, 2005,
http://esm.cis.unisa.edu.au (current Mar. 1, 2007).
[9]
[10]
[11]
S. Knapp, 802.11: Leaving the Wire Behind, IEEE Internet Computing, vol. 6, Jan.Feb. 2002, pp. 82-85.
[12]
[13]
A. Lockhart, Network Security Hacks: Tips & Tools for Protecting Your Privacy, 2nd
Edition, OReilly Media, Inc., Sebastopol, CA, 2007. pp. 415-416.
[14]
23
[15]
[16]
[17]
S. Schiesel, Growth of Wireless Internet Opens New Path for Thieves, The New York
Times Mar. 19, 2005, http://www.nytimes.com//2005/03/19/ technology/19wifi.html?
ex=1268888400&en=51d90e7518bba5d6&ei=5090 &partner=rssuserland
(current Mar. 1, 2007).
[18]
[19]
J. Slay and B. Turnbull, The Need for a Technical Approach to Digital Forensic
Evidence Collection for Wireless Technologies, 2006 IEEE Information Assurance
Workshop, West Point, New York, June 21-23, pp. 124-132.
[20]
A. S. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, Upper Saddle River,
New Jersey, 2003.
[21]
[22]
B. Turnbull and J. Slay, The 802.11 Technology Gap Case Studies in Crime, Tencon
IEEE Region 10 Conference, Melbourne, Australia, Nov. 2005.
[23]
B. Turnbull and J. Slay, Wireless Forensic Analysis Tools for Use in the Electronic
Evidence Collection Process, 40th Annual Hawaii International Conference on Systems
Sciences, Hawaii, 2007, pp. 267a-267a.
[24]
[25]
24
APPENDIX A
[root@localhost tripwire-2.3.1-2]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/local/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.
[root@localhost tripwire-2.3.1-2]# tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file:
/usr/local/lib/tripwire/report/localhost.localdomain-20070303-215327.twr
Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root
Report created on:
Sat 03 Mar 2007 09:53:27 PM CST
Database last updated on: Never
=====================================================================
==========
Report Summary:
=====================================================================
==========
Host name:
localhost.localdomain
Host IP address:
127.0.0.1
Host ID:
None
Policy file used:
/usr/local/etc/tw.pol
Configuration file used:
/usr/local/etc/tw.cfg
Database file used:
/usr/local/lib/tripwire/localhost.localdomain.twd
Command line used:
tripwire --check
=====================================================================
==========
Rule Summary:
=====================================================================
==========
-------------------------------------------------------------------------------
25
Rule Name
Severity Level
---------------------Tripwire Data Files
0
Monitor Filesystems
0
User Binaries and Libraries
0
Tripwire Binaries
0
OS Binaries and Libraries
0
Temporary Directories
0
* Global Configuration Files
0
System Boot Changes
0
RPM Checksum Files
0
OS Boot Files and Mount Points
0
OS Devices and Misc Directories 0
Root Directory and Files
0
Added Removed
----- ------0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Modified
-------0
0
0
0
0
0
2
0
0
0
0
0
26
=====================================================================
==========
No Errors
------------------------------------------------------------------------------*** End of report ***
Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@localhost tripwire-2.3.1-2]# ping 192.168.11.6
PING 192.168.11.6 (192.168.11.6) 56(84) bytes of data.
64 bytes from 192.168.11.6: icmp_seq=1 ttl=128 time=24.8 ms
From 192.168.11.9 icmp_seq=56 Destination Host Unreachable
From 192.168.11.9 icmp_seq=57 Destination Host Unreachable
From 192.168.11.9 icmp_seq=58 Destination Host Unreachable
From 192.168.11.9 icmp_seq=60 Destination Host Unreachable
From 192.168.11.9 icmp_seq=61 Destination Host Unreachable
From 192.168.11.9 icmp_seq=62 Destination Host Unreachable
--- 192.168.11.6 ping statistics --62 packets transmitted, 1 received, +6 errors, 98% packet loss, time 60990ms
rtt min/avg/max/mdev = 24.860/24.860/24.860/0.000 ms, pipe 3
[root@localhost tripwire-2.3.1-2]# tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file:
/usr/local/lib/tripwire/report/localhost.localdomain-20070303-221041.twr
Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root
Report created on:
Sat 03 Mar 2007 10:10:41 PM CST
Database last updated on: Never
=====================================================================
==========
27
Report Summary:
=====================================================================
==========
Host name:
localhost.localdomain
Host IP address:
127.0.0.1
Host ID:
None
Policy file used:
/usr/local/etc/tw.pol
Configuration file used:
/usr/local/etc/tw.cfg
Database file used:
/usr/local/lib/tripwire/localhost.localdomain.twd
Command line used:
tripwire --check
=====================================================================
==========
Rule Summary:
=====================================================================
==========
------------------------------------------------------------------------------Section: Unix File System
------------------------------------------------------------------------------Rule Name
--------Tripwire Data Files
Monitor Filesystems
User Binaries and Libraries
Tripwire Binaries
OS Binaries and Libraries
Temporary Directories
* Global Configuration Files
System Boot Changes
RPM Checksum Files
OS Boot Files and Mount Points
OS Devices and Misc Directories
Root Directory and Files
Modified
-------0
0
0
0
0
0
2
0
0
0
0
0
28
29