[ Team LiB ] Previous Section Next Section

Recipe 1.6 Remote Integrity Checking

1.6.1 Problem

You want to perform an integrity check, but to increase security, you store vital Tripwire files off-host.

In this recipe and others, we use two machines: your original machine to be checked, which we'll call trippy, and a second, trusted machine we'll call trusty. trippy is the untrusted machine whose integrity you want to check with Tripwire. trusty is a secure machine, typically with no incoming network access.

1.6.2 Solution

Store copies of the site key, local key, and tripwire binary on a trusted remote machine that has no incoming network access. Use rsync, securely tunneled through ssh, to verify that the originals and copies are identical, and to trigger an integrity check.

The initial setup on remote machine trusty is:

#!/bin/sh
REMOTE_MACHINE=trippy
RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh'
SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE}
VITAL_FILES="/usr/sbin/tripwire 
        /etc/tripwire/site.key 
        /etc/tripwire/${REMOTE_MACHINE}-local.key"

mkdir $SAFE_DIR
for file in $VITAL_FILES
do 
        $RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/
done

Prior to running every integrity check on the local machine, verify these three files by comparing them to the remote copies. The following code should be run on trusty, assuming the same variables as in the preceding script (REMOTE_MACHINE, etc.):

#!/bin/sh
cd $SAFE_DIR
rm -f log
for file in $VITAL_FILES
do
        base=`basename $file`
        $RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log
done
if [ -s log ] ; then
        echo 'Security alert!'
else
        ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check
fi

1.6.3 Discussion

rsync is a handy utility for synchronizing files on two machines. In this recipe we tunnel rsync through ssh, the Secure Shell, to provide secure authentication and to encrypt communication between trusty and trippy. (This assumes you have an appropriate SSH infrastructure set up between trusty and trippy, e.g., [Recipe 6.4]. If not, rsync can be used insecurely without SSH, but we don't recommend it.)

The —progress option of rsync produces output only if the local and remote files differ, and the -n option causes rsync not to copy files, merely reporting what it would do. The fgrep command removes all output but the filenames in question. (We use fgrep because it matches fixed strings, not regular expressions, since filenames commonly contain special characters like "." found in regular expressions.) The fgrep -x option matches whole lines, or in this case, filenames. Thus, the file log is empty if and only if the local and remote files are identical, triggering the integrity check.

You might be tempted to store the Tripwire database remotely as well, but it's not necessary. Since the database is signed with the local key, which is kept off-host, tripwire would alert you if the database changed unexpectedly.

Instead of merely checking the important Tripwire files, trusty could copy them to trippy before each integrity check:

# scp -p tripwire trippy:/usr/sbin/tripwire
# scp -p site.key trippy-local.key trippy:/etc/tripwire/
# ssh trippy -l root /usr/sbin/tripwire --check

Another tempting alternative is to mount trippy's disks remotely on trusty, preferably read-only, using a network filesystem such as NFS or AFS, and then run the Tripwire check on trusty. This method, however, is only as secure as your network filesystem software.

1.6.4 See Also

rsync(1), ssh(1).

    [ Team LiB ] Previous Section Next Section