Fingerprint Documentation

  1. Introduction
  2. Installation
  3. Generating Fingerprints
  4. Comparing Fingerprints
  5. Archival Usage
  6. Data Preservation
  7. Data Transmission
  8. Backup Integrity
  9. Security Tripwire
  10. Cryptographic Sealing
  11. Notarizing
  12. Final Words

Malicious modification of files can be detected using Fingerprint. This setup is typically referred to as a Tripwire, because when an attacker modifies some critical system files, the system administrator will be notified.

In order to ensure the validity of fingerprint data, it should not be stored on the server, but instead computed and stored on a remote server. Then, this can be done once an hour, or once a day. If data integrity issues are detected, the administrator can be notified via email.

Example Tripwire Script

The following script will connect to the remote server and fingerprint a directory:

#!/usr/bin/env ruby

require 'fileutils'

REMOTE = "server.example.com"
DIRECTORY = "/etc"
PREVIOUS = "previous.fingerprint"
LATEST = "latest.fingerprint"

if File.exist? LATEST
	FileUtils.mv LATEST, PREVIOUS
end

$stderr.puts "Generating fingerprint of #{REMOTE}:#{DIRECTORY}..."
system("ssh #{REMOTE} fingerprint #{DIRECTORY} > #{LATEST}")

if File.exist? PREVIOUS
	$stderr.puts "Comparing fingerprints..."
	system('fingerprint', '-c', PREVIOUS, LATEST)
end

This could used as an hourly CRON job.

Previous: Backup Integrity
Next: Cryptographic Sealing