Re: preventing tampering with tripwire

From: twig les (twigles@yahoo.com)
Date: 06/19/02 

Date: Tue, 18 Jun 2002 17:15:52 -0700 (PDT)
From: twig les <twigles@yahoo.com>
To: Klaus Steden <klaus@compt.com>, Maxlor <mail@maxlor.com>

You can also write a script to grab the signature of
the tripwire binary itself from a remote server. A
co-worker of mine is doing something like this right
now and I'll ask him about it, but my gut says it'll
be hush-hush secret.

Don't forget to direct syslog output to a line printer
BTW. ;)

--- Klaus Steden <klaus@compt.com> wrote:
> Read-only media is a good thing, too.
>
> It may be overkill (in the case of security, is
> there such a thing, though?),
> but you could re-purpose an old disk drive, add
> security tools you want to it,
> and jumper it read-only. That wouldn't necessarily
> prevent your database from
> being compromised, but your tools would be intact.
>
> With a read-only disk, I would ...
>
> - install the security tools you want on it
> - generate any baseline configuration data and
> signatures
> - make the disk physically read-only
> - run your nightly cron jobs, comparing your daily
> results against your
> read-only baseline.
>
> Of course, every time you upgrade something, you'll
> have to unjumper the disk,
> update your signatures, and rejumper it, but that's
> not really such a big
> deal when compared with what else you might have to
> do. :>
>
> Keeping known good copies of essential programs (ls,
> find, dd, netstat, route,
> ifconfig, mv, cp, df, etc.) on the read-only media
> is a good idea, too.
>
> You could accomplish this with CDROMs if you don't
> want to use a disk drive,
> but you lose the option of rewritability.
>
> hope this helps,
> Klaus
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of
> the message

=====
-----------------------------------------------------------
Only fools have all the answers.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Bootable D: Drive
    ... clone, everything in it looks exactly like the "parent" OS. ... the 120GB disk had C: ... clone (including the MBR and the signatures) to the 120GB disk. ... Next time I attempted to boot on the normal 80GB, ...
    (comp.sys.ibm.pc.hardware.storage)
  • Re: Slight discrepancy with filecmp.cmp
    ... >>compare, using filecmp.cmp, the cd and disk version. ... > signatures are taken to be equal ... Ivan Van Laningham ...
    (comp.lang.python)
  • Re: Moving Cluster to new SAN
    ... > scratch if you cannot restore the signatures. ... > 2) Disable cluster disk driver on both nodes. ... > 4) Power up one node and restore the disk signatures to the new SAN volumes. ...
    (microsoft.public.windows.server.clustering)
  • Re: Moving Cluster to new SAN
    ... MSCS is highly dependent upon the disk ... scratch if you cannot restore the signatures. ... Change the IP addresses of the cluster NICs/resources. ... Disable cluster disk driver on both nodes. ...
    (microsoft.public.windows.server.clustering)
  • Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
    ... you will buy "specialized" security tools like firewall or ... I would like to see how your real-time signatures get updated with the ... "countless" exploit variants will become really innumerable. ...
    (Full-Disclosure)