Recipe 1.9 Automated Integrity Checking

1.9.1 Problem

You want to schedule integrity checks at specific times or intervals.

1.9.2 Solution

Use cron. For example, to perform an integrity check every day at 3:00 a.m.:

root's crontab file:
0 3 * * * /usr/sbin/tripwire --check

1.9.3 Discussion

This is not a production-quality recipe. An intruder could compromise cron, substituting another job or simply preventing yours from running. For more reliability, run the cron job on a trusted remote machine:

Remote crontab entry on trusty:
0 3 * * * ssh -n -l root trippy /usr/sbin/tripwire --check

but if an intruder compromises sshd on trippy, you're again out of luck. Likewise, some rootkits [Recipe 9.12] can subvert the exec call to tripwire even if invoked remotely. For maximum security, run not only the cron job but also the integrity check on a trusted remote machine. [Recipe 1.8]

Red Hat Linux comes preconfigured to run tripwire every night via the cron job /etc/cron.daily/tripwire-check. However, a Tripwire database is not supplied with the operating system: you must initialize one yourself. [Recipe 1.1] If you don't, cron will send daily email to root about a failed tripwire invocation.

1.9.4 See Also

tripwire(8), crontab(1), crontab(5), cron(8).

    Chapter 9. Testing and Monitoring