linux-protecting-configuration-files

No matter if you’re running a linux environment on premise or in a cloud instance using any distribution (i. e. Ubuntu, Centos, RHEL or something else), you want to know if something has been touched.

CodeNotary allows you exactly that in the most simple way and the verification counterpart is even stored safely outside of your environment.

The following blog post covers the notarization of the /etc directory where configuration files are typically stored and the automatic authentication whenever you log in.

We cover:

  • Install vcn
  • Notarize file or folder
  • change your bash profile to authenticate whenever logging in
  • some example

Install vcn

There are plenty of different ways to install the vcn Command line tool. And of course you can build it yourself. The GitHub repository can be found here:

https://github.com/vchain-us/vcn

and the latest release:

https://github.com/vchain-us/vcn/releases/latest

If you want a quick installation (Linux, MacOS), you can also use our installation script:

bash <(curl http://getvcn.codenotary.io -L)

You can check our manual or simply type vcn help

Notarize file or folder

As vcn is installed and running we can notarize the folder or files we like to verify everytime we log in. These could be:

  • configuration files (Apache, NGINX, Firewall services, Sudoers files and much more)
  • folders containing configuration files
  • file or folders that should never change unnoticed

Make sure you have a free CodeNotary account, so you can notarize and only check for your own digital objects.

The notarization of the /etc folder

Tip: Depending on the installation, you might need to use sudo!

# first login with your CodeNotary account credentials
vcn login

# Notarize /etc - dir:// acts on the whole folder or directory
# type your password when requested
vcn n dir:///etc 

Folder protection using CodeNotary

Notarize /etc as a folder

That’s already it and you can easily double check in your dashboard or by simply typing vcn a dir:///etc if all worked.

dashboard to check the notarization

check the notarization details

In case you simply want to check one or some files, you can use vcn n /path/file without the dir://.

Change your bash profile to authenticate whenever logging in

Instead of authenticate or verify the configuration folder /etc everytime we log in, we want to do that in an automatic way. This example is simple but could be enhanced very easily to secure the environment even more.

Change your local profile: nano ~/.profile and add the following lines:


# calculate the SHA256 checksum of vcn (check the path vcn is installed
# /usr/bin/vcn or /usr/local/bin and change accordingly
CHECKSUM=$(sha256sum /usr/local/bin/vcn | cut -d " " -f 1)

# check if the vendor vchain.us notarized vcn
# of course you can notarize yourself and check against your identity as well
curl -s https://api.codenotary.io/authenticate/$CHECKSUM?org=vchain.us | grep -q :0

# error if the curl command failed and vcn could not be authenticated
test $? -eq 0 || echo "VCN Authenticate: FAILED"

# use vcn to authenticate /etc and check against the blockchain
# make sure to change 0x000000000 to your signer key (vcn info)
vcn a dir:///etc -s 0x000000000

# error if vcn could not authenticate /etc
test $? -eq 0 || echo "VCN Auth /etc: FAILED"

Save the file and the next login is already checking the /etc folder.

Some example

Nothing changed since the notarization took place:

no changed in /etc detected

After changing the /etc/sudoers file

the change is automatically being detected

Summary

As you could see its so easy and straightforward to use CodeNotary to protect your directories or folders. That works for Linux, MacOS and of course Windows as well (we’re covering Microsoft Windows another time).

CNIL
Metrics and Logs

(formerly, Opvizor Performance Analyzer)

VMware vSphere & Cloud
PERFORMANCE MONITORING, LOG ANALYSIS, LICENSE COMPLIANCE!

Monitor and Analyze Performance and Log files:
Performance monitoring for your systems and applications with log analysis (tamperproof using immudb) and license compliance (RedHat, Oracle, SAP and more) in one virtual appliance!

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.