June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
1.5. Read-Only Integrity Checking
Problem
You want to store Tripwire’s most vital files on read-only media, such as a CD-ROM or write-protected disk, to guard against compromise, and then run integrity checks.
Solution
Copy the site key, local key, and tripwire binary onto the desired disk, write-protect it, and mount it. Suppose it is mounted at /mnt/cdrom.
# mount /mnt/cdrom # ls -l /mnt/cdrom total 2564 -r--r----- 1 root root 931 Feb 21 12:20 site.key -r--r----- 1 root root 931 Feb 21 12:20 myhost-local.key -r-xr-xr-x 1 root root 2612200 Feb 21 12:19 tripwire
Generate the Tripwire configuration file in plaintext: [Recipe 1.2]
# DIR=/etc/tripwire # cd $DIR # twadmin --print-cfgfile > twcfg.txt
Edit the configuration file to point to these copies: [Recipe 1.3]
/etc/tripwire/twcfg.txt: ROOT=/mnt/cdrom SITEKEYFILE=/mnt/cdrom/site.key LOCALKEYFILE=/mnt/cdrom/myhost-local.keySign your modified Tripwire configuration file: [Recipe 1.3]
# SITE_KEY=/mnt/cdrom/site.key # twadmin --create-cfgfile --cfgfile $DIR/tw.cfg \ --site-keyfile $SITE_KEY $DIR/twcfg.txtRegenerate the tripwire database [Recipe 1.3] and unmount the CD-ROM:
# /mnt/cdrom/tripwire --init # umount /mnt/cdrom
Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:
# mount /mnt/cdrom # /mnt/cdrom/tripwire --check # umount /mnt/cdrom
Discussion
The site key, local key, and tripwire binary (/usr/sbin/tripwire) are the only files you need to protect from compromise. Other Tripwire-related ...