1.5. Read-Only Integrity Checking

Problem

You want to store Tripwire’s most vital files on read-only media, such as a CD-ROM or write-protected disk, to guard against compromise, and then run integrity checks.

Solution

  1. Copy the site key, local key, and tripwire binary onto the desired disk, write-protect it, and mount it. Suppose it is mounted at /mnt/cdrom.

    # mount /mnt/cdrom
# ls -l /mnt/cdrom
total 2564
-r--r-----    1 root     root          931 Feb 21 12:20 site.key
-r--r-----    1 root     root          931 Feb 21 12:20 myhost-local.key
-r-xr-xr-x    1 root     root      2612200 Feb 21 12:19 tripwire

  2. Generate the Tripwire configuration file in plaintext: [Recipe 1.2]

    # DIR=/etc/tripwire
# cd $DIR
# twadmin --print-cfgfile > twcfg.txt

  3. Edit the configuration file to point to these copies: [Recipe 1.3]

                         /etc/tripwire/twcfg.txt:
ROOT=/mnt/cdrom
SITEKEYFILE=/mnt/cdrom/site.key
LOCALKEYFILE=/mnt/cdrom/myhost-local.key

  4. Sign your modified Tripwire configuration file: [Recipe 1.3]

    # SITE_KEY=/mnt/cdrom/site.key
# twadmin --create-cfgfile --cfgfile $DIR/tw.cfg \
          --site-keyfile $SITE_KEY $DIR/twcfg.txt

  5. Regenerate the tripwire database [Recipe 1.3] and unmount the CD-ROM:

    # /mnt/cdrom/tripwire --init
# umount /mnt/cdrom

Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:

# mount /mnt/cdrom
# /mnt/cdrom/tripwire --check
# umount /mnt/cdrom

Discussion

The site key, local key, and tripwire binary (/usr/sbin/tripwire) are the only files you need to protect from compromise. Other Tripwire-related files, such as the database, policy, and configuration, are signed by the keys, so alterations would be detected. (Back them up frequently, however, in case an attacker deletes them!)

Before copying /usr/sbin/tripwire to CD-ROM, make sure it is statically linked (which is the default configuration) so it does not depend on any shared runtime libraries that could be compromised:

$ ldd /usr/sbin/tripwire
not a dynamic executable

See Also

twadmin(8), tripwire(8), ldd(1), mount(8).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial