Security Tripwire

Malicious modification of files can be detected using Fingerprint. This setup is typically referred to as a Tripwire, because when an attacker modifies some critical system files, the system administrator will be notified.

In order to ensure the validity of fingerprint data, it should not be stored on the server, but instead computed and stored on a remote server. Then, this can be done once an hour, or once a day. If data integrity issues are detected, the administrator can be notified via email.

Example Tripwire Script

The following script will connect to the remote server and fingerprint a directory:

#!/usr/bin/env ruby

require 'fileutils'

REMOTE = "server.example.com"
DIRECTORY = "/etc"
PREVIOUS = "previous.fingerprint"
LATEST = "latest.fingerprint"

if File.exist? LATEST
	FileUtils.mv LATEST, PREVIOUS
end

$stderr.puts "Generating fingerprint of #{REMOTE}:#{DIRECTORY}..."
system("ssh #{REMOTE} fingerprint #{DIRECTORY} > #{LATEST}")

if File.exist? PREVIOUS
	$stderr.puts "Comparing fingerprints..."
	system('fingerprint', '-c', PREVIOUS, LATEST)
end

This could used as an hourly CRON job.