Security Tripwire
Malicious modification of files can be detected using Fingerprint. This setup is typically referred to as a Tripwire, because when an attacker modifies some critical system files, the system administrator will be notified.
In order to ensure the validity of fingerprint data, it should not be stored on the server, but instead computed and stored on a remote server. Then, this can be done once an hour, or once a day. If data integrity issues are detected, the administrator can be notified via email.
Example Tripwire Script
The following script will connect to the remote server and fingerprint a directory:
#!/usr/bin/env ruby
require 'fileutils'
REMOTE = "server.example.com"
DIRECTORY = "/etc"
PREVIOUS = "previous.fingerprint"
LATEST = "latest.fingerprint"
if File.exist? LATEST
FileUtils.mv LATEST, PREVIOUS
end
$stderr.puts "Generating fingerprint of #{REMOTE}:#{DIRECTORY}..."
system("ssh #{REMOTE} fingerprint #{DIRECTORY} > #{LATEST}")
if File.exist? PREVIOUS
$stderr.puts "Comparing fingerprints..."
system('fingerprint', '-c', PREVIOUS, LATEST)
end
This could used as an hourly CRON job.