Recipe 1.7 Ultra-Paranoid Integrity Checking

1.7.1 Problem

You want highly secure integrity checks, at the expense of speed and convenience.

1.7.2 Solution

Securely create a bootable CD-ROM containing a minimal Linux system, the tripwire binary, and your local and site keys. Disconnect your computer from all networks, boot on the CD-ROM, and perform an integrity check of your computer's disks, using executable programs on the CD-ROM only.

Back up your Tripwire database, configuration, and policy frequently, in case an attacker deletes them from your system.

1.7.3 Discussion

This cumbersome but more secure method requires at least two computers, one of them carefully trusted. As before, we'll call the trusted system trusty and the Tripwire machine trippy. Our goal is to run secure Tripwire checks on trippy.

The first important step is to create a bootable CD-ROM securely. This means:

• Create the CD-ROM on trusty, a virgin Linux machine built directly from trusted source or binary packages, that has never been on a network or otherwise accessible to third parties. Apply all necessary security patches to bring trusty up to date.

• Configure the CD-ROM's startup scripts to disable all networking.

• Populate the CD-ROM directly from trusted source or binary packages.

• Create your Tripwire site key and local key on trusty.

Second, boot trippy on the CD-ROM, mount the local disks, and create trippy's Tripwire database, using the tripwire binary and keys on the CD-ROM. Since the Tripwire database, policy, and configuration files are signed with keys on the CD-ROM, these files may safely reside on trippy, rather than the CD-ROM.

Third, you must boot trippy on the CD-ROM before running an integrity check. Otherwise, if you simply mount the CD-ROM on trippy and run the tripwire binary from the CD-ROM, you are not protected against:

• Compromised shared libraries on trippy, if your tripwire binary is dynamically linked.

• A compromised Linux kernel on trippy.

• A compromised mount point for the CD-ROM on trippy.

See, we told you this recipe was for the paranoid. But if you want higher security with Tripwire, you might need this level of caution.

For more convenience, you could schedule a cron job to reboot trippy nightly from the CD-ROM, which runs the Tripwire check and then reboots trippy normally. Do not, however, schedule this cron job on trippy itself, since cron could be compromised. Instead, schedule it on trusty, perhaps triggering the reboot via an SSH batch job. [Recipe 6.10]

1.7.4 See Also

A good starting point for making a self-contained bootable CD-ROM or floppy is tomsrtbt at http://www.toms.net/rb.

Consider including post-mortem security tools on the CD-ROM, such as the Coroner's Toolkit. [Recipe 9.41]