لطفا منتظر باشید ...
Recipe 1.6 Remote Integrity Checking
1.6.1 Problem
You want to perform an integrity
check, but to increase security, you store vital Tripwire files
off-host.
|
1.6.2 Solution
Store copies of the site key, local key, and
tripwire binary on a trusted remote machine that
has no incoming network access. Use
rsync, securely tunneled through
ssh, to verify that the originals and copies are
identical, and to trigger an integrity check.The initial setup on remote machine trusty is:
#!/bin/sh
REMOTE_MACHINE=trippy
RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh'
SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE}
VITAL_files="/usr/sbin/tripwire
/etc/tripwire/site.key
/etc/tripwire/${REMOTE_MACHINE}-local.key"
mkdir $SAFE_DIR
for file in $VITAL_files
do
$RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/
done
Prior to running every integrity check on the local machine, verify
these three files by comparing them to the remote copies. The
following code should be run on trusty , assuming the same variables as
in the preceding script (REMOTE_MACHINE, etc.):
#!/bin/sh
cd $SAFE_DIR
rm -f log
for file in $VITAL_files
do
base=`basename $file`
$RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log
done
if [ -s log ] ; then
echo 'Security alert!'
else
ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check
fi
1.6.3 Discussion
rsync is a handy utility for
synchronizing files on two machines. In
this recipe we tunnel rsync through
ssh, the Secure Shell, to provide secure
authentication and to encrypt communication between trusty and trippy . (This assumes you have an
appropriate SSH infrastructure set up between trusty and trippy , e.g., [Recipe 6.4]. If not, rsync can be used
insecurely without SSH, but we don't recommend it.)The progress
option of rsync produces output only if the local
and remote files differ, and the
-n option causes rsync
not to copy files, merely reporting what it would do. The
fgrep command removes all output but the
filenames in question. (We use fgrep because it
matches fixed
strings, not regular expressions, since
filenames commonly contain special characters like
"." found in regular expressions.)
The fgrep -x option matches whole lines, or in
this case, filenames. Thus, the file log is
empty if and only if the local and remote files are identical,
triggering the integrity check.You might be tempted to store the Tripwire database remotely as well,
but it's not necessary. Since the database is signed
with the local key, which is kept off-host,
tripwire would alert you if the database changed
unexpectedly.Instead of merely checking the important Tripwire files, trusty could copy them to trippy before each integrity check:
# scp -p tripwire trippy:/usr/sbin/tripwire
# scp -p site.key trippy-local.key trippy:/etc/tripwire/
# ssh trippy -l root /usr/sbin/tripwire --check
Another tempting alternative
is to mount trippy 's disks remotely
on trusty , preferably
read-only, using a network filesystem such as NFS or AFS, and then
run the Tripwire check on trusty . This method, however, is only as
secure as your network filesystem software.
1.6.4 See Also
rsync(1), ssh(1).
