Recipe 1.5 Read-Only Integrity Checking

Previous page
Table of content
Next page

1.5.1 Problem

You want to store Tripwire's most vital files on read-only media, such as a CD-ROM or write-protected disk, to guard against compromise, and then run integrity checks.

1.5.2 Solution

  1. Copy the site key, local key, and tripwire binary onto the desired disk, write-protect it, and mount it. Suppose it is mounted at /mnt/cdrom.

    # mount /mnt/cdrom # ls -l /mnt/cdrom total 2564 -r--r-----    1 root     root          931 Feb 21 12:20 site.key -r--r-----    1 root     root          931 Feb 21 12:20 myhost-local.key -r-xr-xr-x    1 root     root      2612200 Feb 21 12:19 tripwire

  2. Generate the Tripwire configuration file in plaintext: [Recipe 1.2]

    # DIR=/etc/tripwire # cd $DIR # twadmin --print-cfgfile > twcfg.txt

  3. Edit the configuration file to point to these copies: [Recipe 1.3]

    /etc/tripwire/twcfg.txt: ROOT=/mnt/cdrom SITEKEYFILE=/mnt/cdrom/site.key LOCALKEYFILE=/mnt/cdrom/myhost-local.key

  4. Sign your modified Tripwire configuration file: [Recipe 1.3]

    # SITE_KEY=/mnt/cdrom/site.key # twadmin --create-cfgfile --cfgfile $DIR/tw.cfg \           --site-keyfile $SITE_KEY $DIR/twcfg.txt

  5. Regenerate the tripwire database [Recipe 1.3] and unmount the CD-ROM:

    # /mnt/cdrom/tripwire --init # umount /mnt/cdrom

Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:

# mount /mnt/cdrom # /mnt/cdrom/tripwire --check # umount /mnt/cdrom

1.5.3 Discussion

The site key, local key, and tripwire binary (/usr/sbin/tripwire) are the only files you need to protect from compromise. Other Tripwire-related files, such as the database, policy, and configuration, are signed by the keys, so alterations would be detected. (Back them up frequently, however, in case an attacker deletes them!)

Before copying /usr/sbin/tripwire to CD-ROM, make sure it is statically linked (which is the default configuration) so it does not depend on any shared runtime libraries that could be compromised:

$ ldd /usr/sbin/tripwire not a dynamic executable

1.5.4 See Also

twadmin(8), tripwire(8), ldd(1), mount(8).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Strategies for Information Technology Governance
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Microsoft VBScript Professional Projects
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Special Edition Using FileMaker 8
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy