[ Team LiB ] Previous Section Next Section

Recipe 1.5 Read-Only Integrity Checking

1.5.1 Problem

You want to store Tripwire's most vital files on read-only media, such as a CD-ROM or write-protected disk, to guard against compromise, and then run integrity checks.

1.5.2 Solution

  1. Copy the site key, local key, and tripwire binary onto the desired disk, write-protect it, and mount it. Suppose it is mounted at /mnt/cdrom.

    # mount /mnt/cdrom
# ls -l /mnt/cdrom
total 2564
-r--r-----    1 root     root          931 Feb 21 12:20 site.key
-r--r-----    1 root     root          931 Feb 21 12:20 myhost-local.key
-r-xr-xr-x    1 root     root      2612200 Feb 21 12:19 tripwire

  2. Generate the Tripwire configuration file in plaintext: [Recipe 1.2]

    # DIR=/etc/tripwire
# cd $DIR
# twadmin --print-cfgfile > twcfg.txt

  3. Edit the configuration file to point to these copies: [Recipe 1.3]

    /etc/tripwire/twcfg.txt:
ROOT=/mnt/cdrom
SITEKEYFILE=/mnt/cdrom/site.key
LOCALKEYFILE=/mnt/cdrom/myhost-local.key

  4. Sign your modified Tripwire configuration file: [Recipe 1.3]

    # SITE_KEY=/mnt/cdrom/site.key
# twadmin --create-cfgfile --cfgfile $DIR/tw.cfg \
          --site-keyfile $SITE_KEY $DIR/twcfg.txt

  5. Regenerate the tripwire database [Recipe 1.3] and unmount the CD-ROM:

    # /mnt/cdrom/tripwire --init
# umount /mnt/cdrom

Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:

# mount /mnt/cdrom
# /mnt/cdrom/tripwire --check
# umount /mnt/cdrom

1.5.3 Discussion

The site key, local key, and tripwire binary (/usr/sbin/tripwire) are the only files you need to protect from compromise. Other Tripwire-related files, such as the database, policy, and configuration, are signed by the keys, so alterations would be detected. (Back them up frequently, however, in case an attacker deletes them!)

Before copying /usr/sbin/tripwire to CD-ROM, make sure it is statically linked (which is the default configuration) so it does not depend on any shared runtime libraries that could be compromised:

$ ldd /usr/sbin/tripwire
not a dynamic executable

1.5.4 See Also

twadmin(8), tripwire(8), ldd(1), mount(8).
    [ Team LiB ] Previous Section Next Section