rsync - Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking
Recipe 1.6 Remote Integrity Checking
1.6.1 Problem
You want to perform an integrity check, but to increase security, you store vital Tripwire files off-host.
|
1.6.2 Solution
Store copies of the site key, local key, and tripwire binary on a trusted remote machine that has no incoming network access. Use rsync, securely tunneled through ssh, to verify that the originals and copies are identical, and to trigger an integrity check.
The initial setup on remote machine trusty is:
#!/bin/sh
REMOTE_MACHINE=trippy
RSYNC='/usr/bin/rsync -a --progress --rsh=/usr/bin/ssh'
SAFE_DIR=/usr/local/tripwire/${REMOTE_MACHINE}
VITAL_FILES="/usr/sbin/tripwire
/etc/tripwire/site.key
/etc/tripwire/${REMOTE_MACHINE}-local.key"
mkdir $SAFE_DIR
for file in $VITAL_FILES
do
$RSYNC ${REMOTE_MACHINE}:$file $SAFE_DIR/
done
Prior to running every integrity check on the local machine, verify these three files by comparing them to the remote copies. The following code should be run on trusty, assuming the same variables as in the preceding script (REMOTE_MACHINE, etc.):
#!/bin/sh
cd $SAFE_DIR
rm -f log
for file in $VITAL_FILES
do
base=`basename $file`
$RSYNC -n ${REMOTE_MACHINE}:$file . | fgrep -x "$base" >> log
done
if [ -s log ] ; then
echo 'Security alert!'
else
ssh ${REMOTE_MACHINE} -l root /usr/sbin/tripwire --check
fi
1.6.3 Discussion
rsync is a handy utility for synchronizing files on two machines. In this recipe we tunnel rsync through ssh, the Secure Shell, to provide secure authentication and to encrypt communication between trusty and trippy. (This assumes you have an appropriate SSH infrastructure set up between trusty and trippy, e.g., [Recipe 6.4]. If not, rsync can be used insecurely without SSH, but we don't recommend it.)
The —progress option of rsync produces output only if the local and remote files differ, and the -n option causes rsync not to copy files, merely reporting what it would do. The fgrep command removes all output but the filenames in question. (We use fgrep because it matches fixed strings, not regular expressions, since filenames commonly contain special characters like "." found in regular expressions.) The fgrep -x option matches whole lines, or in this case, filenames. Thus, the file log is empty if and only if the local and remote files are identical, triggering the integrity check.
You might be tempted to store the Tripwire database remotely as well, but it's not necessary. Since the database is signed with the local key, which is kept off-host, tripwire would alert you if the database changed unexpectedly.
Instead of merely checking the important Tripwire files, trusty could copy them to trippy before each integrity check:
# scp -p tripwire trippy:/usr/sbin/tripwire
# scp -p site.key trippy-local.key trippy:/etc/tripwire/
# ssh trippy -l root /usr/sbin/tripwire --check
Another tempting alternative is to mount trippy's disks remotely on trusty, preferably read-only, using a network filesystem such as NFS or AFS, and then run the Tripwire check on trusty. This method, however, is only as secure as your network filesystem software.
1.6.4 See Also
rsync(1), ssh(1).
[相关问题]
全局常用配置说明
模块常用配置说明
客户端常用参数
for Windows (cygwin)
远程shell模式和rsync守护进程模式
22.6. File Synchronization. Building Internet Firewalls, 2nd Edition
Hack 92 Mirroring Web Sites with wget and rsync. Spidering Hacks
Linux Security Cookbook - Recipe 1.16 Integrity Checking with rsync
Linux Security Cookbook - Recipe 1.6 Remote Integrity Checking