Re: preventing tampering with tripwire
From: Jason Stone (jason@shalott.net)
Date: 06/19/02
- Next message: Maxim Sobolev: "[Fwd: Russian Apache is not vulnerable to recent DoS]"
- Previous message: Curriculo@UnitedStates.com: "Curriculo - United States"
- In reply to: Maxlor: "Re: preventing tampering with tripwire"
- Next in thread: twig les: "Re: preventing tampering with tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Jun 2002 05:18:11 -0700 (PDT) From: Jason Stone <jason@shalott.net> To: Maxlor <mail@maxlor.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Why do I like this solution a lot? Even if my system was rooted, and
> the attacker had enough skills to replace each binary with a
> compromised version that would look the same to me, he couldn't do so
> without dropping to single user mode. And since he'd have to have
> physical access to the machine for that, I think I can say the machine
> gained some reasonable security against rootkits overall.
A couple of random thoughts:
1) All the 31337 rootkits use kld's and don't bother with trojans, and, as
has already been pointed out on this list, /modules/* are _not_ set schg
bu default.
2) FYI, at least two independent groups have implemented the equivalent of
tripwire in the kernel - the kernel does something like read in the sha1
sums at boot time and then every time a binary is run, its sha1 is
computed and, if it doesn't match the in-memory sha1 from boot time, the
binary will not be run. http://www.trojanproof.org/ is one project and
the other I don't remember, but a quick slashdot or google search would
turn it up I'm sure.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE9EHaEswXMWWtptckRAoD9AKDB3JZ5z7KcjXd3cfHuvdD0FUVTawCgnyeS
p25Ezk9d56oHVCKrsGK2h5k=
=3ABc
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Maxim Sobolev: "[Fwd: Russian Apache is not vulnerable to recent DoS]"
- Previous message: Curriculo@UnitedStates.com: "Curriculo - United States"
- In reply to: Maxlor: "Re: preventing tampering with tripwire"
- Next in thread: twig les: "Re: preventing tampering with tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
