You want to store Tripwire's most vital files on read-only media, such as a CD-ROM or write-protected disk, to guard against compromise, and then run integrity checks.
Copy the site key, local key, and tripwire binary onto the desired disk, write-protect it, and mount it. Suppose it is mounted at /mnt/cdrom.
# mount /mnt/cdrom # ls -l /mnt/cdrom total 2564 -r--r----- 1 root root 931 Feb 21 12:20 site.key -r--r----- 1 root root 931 Feb 21 12:20 myhost-local.key -r-xr-xr-x 1 root root 2612200 Feb 21 12:19 tripwire
Generate the Tripwire configuration file in plaintext: [Recipe 1.2]
# DIR=/etc/tripwire # cd $DIR # twadmin --print-cfgfile > twcfg.txt
Edit the configuration file to point to these copies: [Recipe 1.3]
/etc/tripwire/twcfg.txt: ROOT=/mnt/cdrom SITEKEYFILE=/mnt/cdrom/site.key LOCALKEYFILE=/mnt/cdrom/myhost-local.key
Sign your modified Tripwire configuration file: [Recipe 1.3]
# SITE_KEY=/mnt/cdrom/site.key # twadmin --create-cfgfile --cfgfile $DIR/tw.cfg \ --site-keyfile $SITE_KEY $DIR/twcfg.txt
Regenerate the tripwire database [Recipe 1.3] and unmount the CD-ROM:
# /mnt/cdrom/tripwire --init # umount /mnt/cdrom
Now, whenever you want to perform an integrity check [Recipe 1.4], insert the read-only disk and run:
# mount /mnt/cdrom # /mnt/cdrom/tripwire --check # umount /mnt/cdrom
The site key, local key, and tripwire binary (/usr/sbin/tripwire) are the only files you need to protect from compromise. Other Tripwire-related files, such as the database, policy, and configuration, are signed by the keys, so alterations would be detected. (Back them up frequently, however, in case an attacker deletes them!)
Before copying /usr/sbin/tripwire to CD-ROM, make sure it is statically linked (which is the default configuration) so it does not depend on any shared runtime libraries that could be compromised:
$ ldd /usr/sbin/tripwire not a dynamic executable
twadmin(8), tripwire(8), ldd(1), mount(8).