لطفا منتظر باشید ...
Recipe 1.5 Read-Only Integrity Checking
1.5.1 Problem
You want to store
Tripwire's most vital files on read-only media, such
as a CD-ROM or write-protected disk, to guard against compromise, and
then run integrity checks.
1.5.2 Solution
- Copy the site key, local key, and
tripwire binary onto the desired disk,
write-protect it, and mount it. Suppose it is mounted at
/mnt/cdrom.# mount /mnt/cdrom
# ls -l /mnt/cdrom
total 2564
-r--r----- 1 root root 931 Feb 21 12:20 site.key
-r--r----- 1 root root 931 Feb 21 12:20 myhost-local.key
-r-xr-xr-x 1 root root 2612200 Feb 21 12:19 tripwire - Generate the Tripwire configuration file in plaintext: [Recipe 1.2]
# DIR=/etc/tripwire
# cd $DIR
# twadmin --print-cfgfile > twcfg.txt - Edit the configuration file to point to these copies: [Recipe 1.3]
/etc/tripwire/twcfg.txt:
ROOT=/mnt/cdrom
SITEKEYFILE=/mnt/cdrom/site.key
LOCALKEYFILE=/mnt/cdrom/myhost-local.key - Sign your modified Tripwire configuration file: [Recipe 1.3]
# SITE_KEY=/mnt/cdrom/site.key
# twadmin --create-cfgfile --cfgfile $DIR/tw.cfg --site-keyfile $SITE_KEY $DIR/twcfg.txt - Regenerate the tripwire database [Recipe 1.3] and
unmount the CD-ROM:# /mnt/cdrom/tripwire --init
# umount /mnt/cdrom
Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:
# mount /mnt/cdrom
# /mnt/cdrom/tripwire --check
# umount /mnt/cdrom
1.5.3 Discussion
The site key, local key, and tripwire binary
(/usr/sbin/tripwire) are the only files you need
to protect from compromise. Other Tripwire-related files, such as the
database, policy, and configuration, are signed by the keys, so
alterations would be detected. (Back them up frequently, however, in
case an attacker deletes them!)Before copying /usr/sbin/tripwire to CD-ROM,
make sure it is statically linked (which is the default
configuration) so it does not depend on any shared runtime libraries
that could be compromised:
$ ldd /usr/sbin/tripwire
not a dynamic executable
1.5.4 See Also
twadmin(8), tripwire(8), ldd(1), mount(8).
