rsync - Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking
2009-01-24 15:32
337 查看
rsync - Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking
Recipe 1.6 Remote Integrity Checking
1.6.1 Problem
Youwant to perform an integrity check, but to increase security, you store vital
Tripwire files off-host.
|
1.6.2 Solution
Store copies of the site key, local key, and tripwirebinary on a trusted remote machine that has no incoming network access. Use
rsync, securely tunneled through
ssh, to verify that the originals and copies are identical, and to
trigger an integrity check.
The initial setup on remote machine trusty is:
#!/bin/sh REMOTE_MACHINE=trippy RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh' SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE} VITAL_FILES="/usr/sbin/tripwire /etc/tripwire/site.key /etc/tripwire/${REMOTE_MACHINE}-local.key" mkdir $SAFE_DIR for file in $VITAL_FILES do $RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/ done
Prior to running every integrity check on the local machine,
verify these three files by comparing them to the remote copies. The following
code should be run on trusty, assuming the same
variables as in the preceding script (REMOTE_MACHINE, etc.):
#!/bin/sh cd $SAFE_DIR rm -f log for file in $VITAL_FILES do base=`basename $file` $RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log done if [ -s log ] ; then echo 'Security alert!' else ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check fi
1.6.3 Discussion
rsync is a handyutility for synchronizing files on two
machines. In this recipe we tunnel rsync through ssh, the Secure
Shell, to provide secure authentication and to encrypt communication between
trusty and trippy.
(This assumes you have an appropriate SSH infrastructure set up between trusty and trippy, e.g.,
[Recipe
6.4]. If not, rsync can be used insecurely without SSH, but we don't
recommend it.)
The —progress
option of rsync produces output only if the local and remote files
differ, and the -n option causes
rsync not to copy files, merely reporting what it would do. The
fgrep command removes all output
but the filenames in question. (We use fgrep because it matches fixed strings, not regular expressions, since
filenames commonly contain special characters like "." found in regular
expressions.) The fgrep -x option matches whole lines, or in this case,
filenames. Thus, the file log is empty if and only if the local and
remote files are identical, triggering the integrity check.
You might be tempted to store the Tripwire database remotely as
well, but it's not necessary. Since the database is signed with the local key,
which is kept off-host, tripwire would alert you if the database changed
unexpectedly.
Instead of merely checking the important Tripwire files, trusty could copy them to trippy before each integrity check:
# scp -p tripwire trippy:/usr/sbin/tripwire # scp -p site.key trippy-local.key trippy:/etc/tripwire/ # ssh trippy -l root /usr/sbin/tripwire --check
Another tempting
alternative is to mount trippy's disks remotely
on trusty, preferably read-only, using a network
filesystem such as NFS or AFS, and then run the Tripwire check on trusty. This method, however, is only as secure as your
network filesystem software.
1.6.4 See Also
rsync(1), ssh(1).
[相关问题]
全局常用配置说明模块常用配置说明
客户端常用参数
for Windows (cygwin)
远程shell模式和rsync守护进程模式
22.6. File Synchronization. Building Internet Firewalls, 2nd Edition
Hack 92 Mirroring Web Sites with wget and rsync. Spidering Hacks
Linux Security Cookbook - Recipe 1.16 Integrity Checking with rsync
Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking
相关文章推荐
- rsync - Linux Security Cookbook - Recipe 1.16 Integrity Checking with rsync
- rsync - Linux Security Cookbook - Recipe 6.3 Copying Files Remotely
- Python Cookbook 第二版 汉化版 [Recipe 1.6] 字符串的组合
- Python Cookbook 第二版 汉化版 [Recipe 1.6] 字符串的组合
- Recipe 1.11. Checking Whether a String Is Text or Binary(Python Cookbook)
- Python Cookbook 第二版 汉化版 [Recipe 1.6] 字符串的组合
- Recipe 1.8. Checking Whether a String Contains a Set of Characters(Python Cookbook)
- 《Linux Shell Scripting Cookbook》Linux常用命令笔记(二)
- Rsync (Remote Sync): 10 Practical Examples of Rsync Command in Linux
- python cookbook 学习笔记 -- 1.6 合并字符串
- Web.py Cookbook 简体中文版 - File Upload Recipe
- SQL Server扫盲系列——安全性专题——SQL Server 2012 Security Cookbook
- Python Cookbook 第二版 汉化版 [Recipe 16.4] 将参数与函数关联起来(Currying)
- Python Cookbook 第二版 汉化版 [Recipe 1.3] 测试一个对象是否为 String-like 对象
- Python Cookbook 第二版 汉化版 [Recipe 1.7] 以单词或字符为单位对字符串进行反序排列
- SQL Server扫盲系列——安全性专题——SQL Server 2012 Security Cookbook
- Linux Shell Scripting Cookbook 学习记录1
- Python Cookbook 第二版 汉化版 [Recipe 1.2] 字符与其对应的数字编码之间的转换
- Recipe 1.2. Converting Between Characters and Numeric Codes(Python Cookbook)