The typical tripwire installation has tripwire running
from a cron job. It checks the current filesystem
against the database and creates a signed report. The
output from this process is emailed to the host's
Now imagine that the system is compromised and the
tripwire binary is replaced. It seems to me that the
attacker could replace the existing tripwire reports.
After the attack is discovered, the admins will have no
way to know which reports are to be trusted. This
indicates a need to copy the reports off the machine,
to a secure location. For those situations where
automatic or manual copying are not feasible, perhaps a
cryptographic hash of the report file would suffice?
I propose that tripwire should output the SHA-1 hash of
the report file after it is written to disk. Cron
would then email this information to the
administrators, where it would be carried off the
server, to a safe location. If the machine is later
cracked, report validity could be
checked by comparing the SHA-1 digests of the files with
the previously generated emails.