Linux Security Cookbook [Electronic resources]

Daniel J. Barrett, Robert G. Byrnes, Richard Silverman

نسخه متنی -صفحه : 247/ 23
نمايش فراداده

Recipe 1.8 Expensive, Ultra-Paranoid Security Checking

1.8.1 Problem

You want highly secure integrity checks and are willing to shell out additional money for them.

1.8.2 Solution

Store your files on a dual-ported disk array. Mount the disk array read-only on a second, trusted machine that has no network connection. Run your Tripwire scans on the second machine.

1.8.3 Discussion

A dual-ported disk array permits two machines to access the same physical disk. If you've got money to spare for increased security, this might be a reasonable approach to securing Tripwire.

Once again, let

trippy be your machine in need of Tripwire scans.

trusty is a highly secure second machine, built directly from trusted source or binary packages with all necessary security patches applied, that has no network connection and has never been accessible to third parties.

trippy 's primary storage is kept on a dual-ported disk array. Mount this array on

trusty read-only. Perform all Tripwire-related operations on

trusty : initializing the database, running integrity checks, and so forth. The Tripwire database, binaries, keys, policy, and configuration are likewise kept on

trusty . Since

trusty is inaccessible via any network, your Tripwire checks will be as reliable as the physical security of

trusty .