You want highly secure integrity checks, at the expense of speed and convenience.
Securely create a bootable CD-ROM containing a minimal Linux system, the tripwire binary, and your local and site keys. Disconnect your computer from all networks, boot on the CD-ROM, and perform an integrity check of your computer's disks, using executable programs on the CD-ROM only.
Back up your Tripwire database, configuration, and policy frequently, in case an attacker deletes them from your system.
This cumbersome but more secure method requires at least two computers, one of them carefully trusted. As before, we'll call the trusted system
trusty and the Tripwire machine
trippy . Our goal is to run secure Tripwire checks on
trippy .
The first important step is to create a bootable CD-ROM securely. This means:
Create the CD-ROM on
trusty , a virgin Linux machine built directly from trusted source or binary packages, that has never been on a network or otherwise accessible to third parties. Apply all necessary security patches to bring
trusty up to date.
Configure the CD-ROM's startup scripts to disable all networking.
Populate the CD-ROM directly from trusted source or binary packages.
Create your Tripwire site key and local key on
trusty .
Second, boot
trippy on the CD-ROM, mount the local disks, and create
trippy 's Tripwire database, using the tripwire binary and keys on the CD-ROM. Since the Tripwire database, policy, and configuration files are signed with keys on the CD-ROM, these files may safely reside on
trippy , rather than the CD-ROM.
Third, you must boot
trippy on the CD-ROM before running an integrity check. Otherwise, if you simply mount the CD-ROM on
trippy and run the tripwire binary from the CD-ROM, you are not protected against:
Compromised shared libraries on
trippy , if your tripwire binary is dynamically linked.
A compromised Linux kernel on
trippy .
A compromised mount point for the CD-ROM on
trippy .
See, we told you this recipe was for the paranoid. But if you want higher security with Tripwire, you might need this level of caution.
For more convenience, you could schedule a cron job to reboot
trippy nightly from the CD-ROM, which runs the Tripwire check and then reboots
trippy normally. Do not, however, schedule this cron job on
trippy itself, since cron could be compromised. Instead, schedule it on
trusty , perhaps triggering the reboot via an SSH batch job. [Recipe 6.10]
A good starting point for making a self-contained bootable CD-ROM or floppy is tomsrtbt at http://www.toms.net/rb.
Consider including post-mortem security tools on the CD-ROM, such as the Coroner's Toolkit. [Recipe 9.41]