You want to perform an integrity check, but to increase security, you store vital Tripwire files off-host.
|
Store copies of the site key, local key, and tripwire binary on a trusted remote machine that has no incoming network access. Use rsync, securely tunneled through ssh, to verify that the originals and copies are identical, and to trigger an integrity check.
The initial setup on remote machine
trusty is:
#!/bin/sh
REMOTE_MACHINE=trippy
RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh'
SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE}
VITAL_files="/usr/sbin/tripwire
/etc/tripwire/site.key
/etc/tripwire/${REMOTE_MACHINE}-local.key"
mkdir $SAFE_DIR
for file in $VITAL_files
do
$RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/
done
Prior to running every integrity check on the local machine, verify these three files by comparing them to the remote copies. The following code should be run on
trusty , assuming the same variables as in the preceding script (REMOTE_MACHINE, etc.):
#!/bin/sh
cd $SAFE_DIR
rm -f log
for file in $VITAL_files
do
base=`basename $file`
$RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log
done
if [ -s log ] ; then
echo 'Security alert!'
else
ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check
fi
rsync is a handy utility for synchronizing files on two machines. In this recipe we tunnel rsync through ssh, the Secure Shell, to provide secure authentication and to encrypt communication between
trusty and
trippy . (This assumes you have an appropriate SSH infrastructure set up between
trusty and
trippy , e.g., [Recipe 6.4]. If not, rsync can be used insecurely without SSH, but we don't recommend it.)
The progress option of rsync produces output only if the local and remote files differ, and the -n option causes rsync not to copy files, merely reporting what it would do. The fgrep command removes all output but the filenames in question. (We use fgrep because it matches fixed strings, not regular expressions, since filenames commonly contain special characters like "." found in regular expressions.) The fgrep -x option matches whole lines, or in this case, filenames. Thus, the file log is empty if and only if the local and remote files are identical, triggering the integrity check.
You might be tempted to store the Tripwire database remotely as well, but it's not necessary. Since the database is signed with the local key, which is kept off-host, tripwire would alert you if the database changed unexpectedly.
Instead of merely checking the important Tripwire files,
trusty could copy them to
trippy before each integrity check:
# scp -p tripwire trippy:/usr/sbin/tripwire # scp -p site.key trippy-local.key trippy:/etc/tripwire/ # ssh trippy -l root /usr/sbin/tripwire --check
Another tempting alternative is to mount
trippy 's disks remotely on
trusty , preferably read-only, using a network filesystem such as NFS or AFS, and then run the Tripwire check on
trusty . This method, however, is only as secure as your network filesystem software.
rsync(1), ssh(1).