preventing tampering with tripwire

From: Maxlor (mail@maxlor.com)
Date: 06/19/02


Date: Wed, 19 Jun 2002 01:27:51 +0200
From: Maxlor <mail@maxlor.com>
To: freebsd-security@freebsd.org

After being rooted recently (no idea how it happened - I was following the
SAs and whatnot... and yes, I already formatted and reinstalled), I decided
to install tripwire, so I would be alerted to something like that sooner.

The thing installed fine and is running ok, there's just this one thing
thats puzzling me:

How do I prevent an intruder that somehow gains root on my machine from
simply replacing the tripwire binary that always gives me an "everything
ok" report?

I've been considering putting the binary on a floppy or CD, but then an
intruder could simply unmount the disk and place the replacement binaries
in the mountpoint dir.

I'm currently running tripwire as a nightly cronjob, and I'd rather not
resort to mounting a disk, running tripwire from it manually, then
unmounting it. You know, my lazyness and the effort needed to do this would
lead to me eventually no longer doing it...

So, how did you solve this problem?

Greetings
Maxlor

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message