Security March 29, 2005 at 8:29 am

How to install and update the Checkmate tripwire

A quick way to get secure hashes of all yer goodies

A glance at the underground sites shows a growing number of rootkits in development. Combine this with known, unpatched vulns, like the iSync mrouter privs escalation vuln, and I’m feeling naked without a tripwire.

Ed. Note: A tripwire application hashes a set of files and then looks for the files to change. Hopefully alerting you when that happens.Most tripwires require a high level of unix knowledge – the mac way would be a simple, easy gui-based tool to fingerprint your system and check if it changes.

Brian Hill’s excellent “Checkmate” is a prefs pane that does just that. Unfortunately, he is no longer updating it – and it has some limitations, so here’s a quick tutorial on making it work.

Here goes.
Download the latest version of Checkmate :

The built in interface of the pref pane only allows you to add files which are visible, and that you can navigate to. Also, it will allow you to add cocoa applications, but as they are bundles, it won’t caculate the hash. So, here’s my way round it.

First, download an updated plist from :
(thanks to Thomas Hardly for his excellent work at hardapple)
Replace the exisiting Checkmate plist.

If you know vi, or are comfortable editing plists, you can add more.. but there is an easier way.

Here’s how to add cocoa binaries via the Acqua gui :

Navigate to the app you want to protect.
Option-click “show package contents”
Option click on the folder, and select “copy path to clipboard”
Go to System Preferences, open the Checkmate pane.
Click “Files”
Click “Add..”
Command-shift-G (this allows you to enter a path name)

You will now be able to browse the package contents from within Checkmate.

Select any unix executables you wish to hash.
(For example, the full path to the Keychain access binary is :
/Applications/Utilities/Keychain Access)

Ed. Note: Be aware that checksumming applications will cause your tripwire to “trip” at most system updates and potentially anytime the watched apps have their pre-binding redone.

To fingerprint files inside invisible directories (eg /usr/sbin/) navigate there via the terminal, copy the path, and use the Command-shift-G trick above.

Of course if you’re really paranoid, you need to backup those hashes on another, secure machine…

Ed. Note: If you don’t do this, your tripwire’s effectiveness is severely reduced. At a minimum store the fingerprints in an encrypted disk image on your system and then manually check them.

Please write to Brian Hill, thank him for his excellent work, and ask him to release the source code under the Gnu Public License

Ed. Note: You might also want to check out the venerable tripwire which spawned most of this genre of utilities.

Leave a reply

You must be logged in to post a comment.