Menu

#10 print digest of created report

open
None
5
2005-11-20
2005-11-19
No

The typical tripwire installation has tripwire running
from a cron job. It checks the current filesystem
against the database and creates a signed report. The
output from this process is emailed to the host's
administrators.

Now imagine that the system is compromised and the
tripwire binary is replaced. It seems to me that the
attacker could replace the existing tripwire reports.
After the attack is discovered, the admins will have no
way to know which reports are to be trusted. This
indicates a need to copy the reports off the machine,
to a secure location. For those situations where
automatic or manual copying are not feasible, perhaps a
cryptographic hash of the report file would suffice?

I propose that tripwire should output the SHA-1 hash of
the report file after it is written to disk. Cron
would then email this information to the
administrators, where it would be carried off the
server, to a safe location. If the machine is later
cracked, report validity could be
checked by comparing the SHA-1 digests of the files with
the previously generated emails.

-Michael

Discussion

  • Ron Forrester

    Ron Forrester - 2005-11-20

    Logged In: YES
    user_id=64576

    This is a good idea. Will keep it in as a feature request
    and get to it soon.

     
  • Ron Forrester

    Ron Forrester - 2005-11-20
    • assigned_to: nobody --> itripn
     

Log in to post a comment.