rsync - Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking

rsync - Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking

Recipe 1.6 Remote Integrity Checking

1.6.1 Problem

You
want to perform an integrity check, but to increase security, you store vital
Tripwire files off-host.

In this recipe and others, we use two machines: your original machine to be checked, which we'll call trippy, and a second, trusted machine we'll call trusty. trippy is the untrusted machine whose integrity you want to check with Tripwire. trusty is a secure machine, typically with no incoming network access.

1.6.2 Solution

Store copies of the site key, local key, and tripwire
binary on a trusted remote machine that has no incoming network access. Use
rsync, securely tunneled through
ssh, to verify that the originals and copies are identical, and to
trigger an integrity check.
The initial setup on remote machine trusty is:

#!/bin/sh
REMOTE_MACHINE=trippy
RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh'
SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE}
VITAL_FILES="/usr/sbin/tripwire 
        /etc/tripwire/site.key 
        /etc/tripwire/${REMOTE_MACHINE}-local.key"

mkdir $SAFE_DIR
for file in $VITAL_FILES
do 
        $RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/
done

Prior to running every integrity check on the local machine,
verify these three files by comparing them to the remote copies. The following
code should be run on trusty, assuming the same
variables as in the preceding script (REMOTE_MACHINE, etc.):

#!/bin/sh
cd $SAFE_DIR
rm -f log
for file in $VITAL_FILES
do
        base=`basename $file`
        $RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log
done
if [ -s log ] ; then
        echo 'Security alert!'
else
        ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check
fi

1.6.3 Discussion

rsync is a handy
utility for synchronizing files on two
machines. In this recipe we tunnel rsync through ssh, the Secure
Shell, to provide secure authentication and to encrypt communication between
trusty and trippy.
(This assumes you have an appropriate SSH infrastructure set up between trusty and trippy, e.g.,
[Recipe
6.4]. If not, rsync can be used insecurely without SSH, but we don't
recommend it.)
The —progress
option of rsync produces output only if the local and remote files
differ, and the -n option causes
rsync not to copy files, merely reporting what it would do. The
fgrep command removes all output
but the filenames in question. (We use fgrep because it matches fixed strings, not regular expressions, since
filenames commonly contain special characters like "." found in regular
expressions.) The fgrep -x option matches whole lines, or in this case,
filenames. Thus, the file log is empty if and only if the local and
remote files are identical, triggering the integrity check.
You might be tempted to store the Tripwire database remotely as
well, but it's not necessary. Since the database is signed with the local key,
which is kept off-host, tripwire would alert you if the database changed
unexpectedly.
Instead of merely checking the important Tripwire files, trusty could copy them to trippy before each integrity check:

# scp -p tripwire trippy:/usr/sbin/tripwire
# scp -p site.key trippy-local.key trippy:/etc/tripwire/
# ssh trippy -l root /usr/sbin/tripwire --check

Another tempting
alternative is to mount trippy's disks remotely
on trusty, preferably read-only, using a network
filesystem such as NFS or AFS, and then run the Tripwire check on trusty. This method, however, is only as secure as your
network filesystem software.

1.6.4 See Also

rsync(1), ssh(1).

[相关问题]

全局常用配置说明

模块常用配置说明

客户端常用参数

for Windows (cygwin)

远程shell模式和rsync守护进程模式

22.6. File Synchronization. Building Internet Firewalls, 2nd Edition

Hack 92 Mirroring Web Sites with wget and rsync. Spidering Hacks

Linux Security Cookbook - Recipe 1.16 Integrity Checking with rsync

Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking