You want highly secure integrity checks, at the expense of speed and convenience.

Securely create a bootable CD-ROM containing a minimal Linux system, the tripwire binary, and your local and site keys. Disconnect your computer from all networks, boot on the CD-ROM, and perform an integrity check of your computer’s disks, using executable programs on the CD-ROM only.

Back up your Tripwire database, configuration, and policy frequently, in case an attacker deletes them from your system.

This cumbersome but more secure method requires at least two computers, one of them carefully trusted. As before, we’ll call the trusted system trusty and the Tripwire machine trippy. Our goal is to run secure Tripwire checks on trippy.

The first important step is to create a bootable CD-ROM securely. This means:

Second, boot trippy on the CD-ROM, mount the local disks, and create trippy’s Tripwire database, using the tripwire binary and keys on the CD-ROM. Since the Tripwire database, policy, and configuration files are signed with keys on the CD-ROM, these files may safely reside on trippy, rather than the CD-ROM.

Third, you must boot trippy on the CD-ROM before running an integrity check. Otherwise, if you simply mount the CD-ROM on trippy and run the tripwire binary from the CD-ROM, you are not protected against:

See, we told you this recipe was for the paranoid. But if you want higher security with Tripwire, you might need this level of caution.

For more convenience, you could schedule a cron job to reboot trippy nightly from the CD-ROM, which runs the Tripwire check and then reboots trippy normally. Do not, however, schedule this cron job on trippy itself, since cron could be compromised. Instead, schedule it on trusty, perhaps triggering the reboot via an SSH batch job. [Recipe 6.10]

A good starting point for making a self-contained bootable CD-ROM or floppy is tomsrtbt at http://www.toms.net/rb.

Consider including post-mortem security tools on the CD-ROM, such as the Coroner’s Toolkit. [Recipe 9.41]