INLS187 - Newby November 6, 2000 Titan: Security Auditing Software --------------------------------- Overview: You need to know a lot to have a reasonably secure computer system on the Internet. Titan helps you to assess how well you have applied what you know by automatically auditing your system and suggesting possible problems. If you do not yet know a lot about Unix security, then Titan will help by listing things you should learn about for the system(s) you control. Step 1: Take a look at the Titan license etc. at http://www.fish.com (there are some other interesting things to read, as well). Step 2: Download Titan via either http://www.fish.com/~brad/titan/Titan,v4.0ALPHA-6.tar.gz (ALPHA test) or http://www.fish.com/~brad/titan/Titan,v3.7.tar.gz (stable) I chose the ALPHA. Step 3: Prepare to run: gunzip Titan,v4.0ALPHA-6.tar.gz tar xof Titan,v4.0ALPHA-6.tar cd Titan,v4.0ALPHA-6 Step 4: Take a look at the documents. For where I installed them, they can be viewed on the Web at: http://ils.unc.edu/inls187/notes/Nov6/Titan,v4.0ALPHA-6/docs Step 4: Initialize Titan. This compiles the Titan binary for your system. It also backs up system files that Titan might modify later. Normally, you would be root to run this (provided you trust Titan!), but I ran as a regular user: ./Titan_Config -I (it generated a couple of errors when /etc/shadow and other files couldn't be opened, but mostly ran fine). Step 5: Read some more documents. Make sure you know what you want to do next. Having Titan automatically fix things on a production system is probably not what you want to do next! I chose to get Titan to generate a list of the things it found questionable with "./Titan -V" (verify). ** This needed to be run as root! I put output in a file: "./Titan -V > ../titan-output.txt" Step 6: Get to work. The output of "Titan -V" on Ruby.ils.unc.edu was over 40K lines (3M) of text. Some of this can be ignored, but all should be considered. To see what a particular Titan module tests, take a look at the module source code. For example, "add-umask.sh" was the first module to run. The source code is: bin/modules/add-umask.sh and includes some description of why it's there and what it does. Step 7: "Titan -V" runs all possible tests, displaying output. You can tune the tests that are run with a config file. To test a default: ./Titan -c sample.Desktop output goes to t_echo.res (you can email it with TitanReport). Take a look at t_echo.res, then edit your own config file. Step 8: Depending on what your judgment is about the Titan output, you can either have Titan fix things for you, or go through and fix them yourself. Or, you could write a config file for Titan to follow in making fixes. Getting Titan to make fixes is well documented in the FAQ in the docs directory. Basically, you can add -F (fix) to the argument to any of the shell scripts you want to run. You can also modify the scripts, if necessary. Step 9: For regular monitoring, make your own config file and run the Titan program regularly. Report any differences by email. This lets Titan run as a sort of integrity checker, searching for changes that might be security holes. This doesn't mean Titan is a replacement for Tripwire! But Titan as a monitoring tool is a good addition to a full security suite.