Re: preventing tampering with tripwire

From: Baldur Gislason (baldur@foo.is)
Date: 06/19/02 

From: Baldur Gislason <baldur@foo.is>
To: Maxlor <mail@maxlor.com>
Date: Tue, 18 Jun 2002 23:40:20 +0000

use kern.securelevel 1 or higher and man chflags, set the tripwire binary
schg so it cannot be tampered with. Of course there's no such thing as
absolute security, but this moves you just a step closer. Unless the intruder
performs a reboot and makes his changes before the kernel securelevel is
raised on boot.

Baldur

On Tuesday 18 June 2002 23:27, you wrote:
> After being rooted recently (no idea how it happened - I was following the
> SAs and whatnot... and yes, I already formatted and reinstalled), I decided
> to install tripwire, so I would be alerted to something like that sooner.
>
> The thing installed fine and is running ok, there's just this one thing
> thats puzzling me:
>
> How do I prevent an intruder that somehow gains root on my machine from
> simply replacing the tripwire binary that always gives me an "everything
> ok" report?
>
> I've been considering putting the binary on a floppy or CD, but then an
> intruder could simply unmount the disk and place the replacement binaries
> in the mountpoint dir.
>
> I'm currently running tripwire as a nightly cronjob, and I'd rather not
> resort to mounting a disk, running tripwire from it manually, then
> unmounting it. You know, my lazyness and the effort needed to do this would
> lead to me eventually no longer doing it...
>
> So, how did you solve this problem?
>
> Greetings
> Maxlor
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: preventing tampering with tripwire
    ... > to install tripwire, so I would be alerted to something like that sooner. ... branch as well as current which extends cover from binaries and scripts ... > intruder could simply unmount the disk and place the replacement binaries ... > I'm currently running tripwire as a nightly cronjob, ...
    (FreeBSD-Security)
  • Re: Tripwire
    ... >> If an intruder can modify libc then I suppose he can modify anything ... He could replace tripwire altogether or just ... Once a cracker gets root access I don't think there ...
    (comp.os.linux.security)
  • Am i compromised?
    ... all started one morning when i found this in the nightly tripwire ... The tripwire report ... from my updates copy and compared the files. ... system (after taking an image of the hard disk). ...
    (Incidents)
  • Re: Intresting problem concerning libresolv.so.2
    ... We run Tripwire on this box, ... >the tripwire report for the day. ... It turned out to be a failing disk in the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
    (Incidents)
  • Re: apache compromised to send spam, need way to check file access
    ... Tripwire is indeed difficult to use; ... > Running tripwire now will be less than useful. ... Couldn't agree more, Newsbox. ... ohmster at newsguy dot com ...
    (comp.os.linux.security)