Re: possible compromise or just misreading logs

jan.muenther_at_nruns.com
Date: 12/08/03

  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"
    Date: Mon, 8 Dec 2003 13:35:01 +0100
    To: Jan Grant <Jan.Grant@bristol.ac.uk>
    
    

    Hello,

    > > No production environment should be without Tripwire (1.3 is my
    > > favorite version). With the right wrapper script
    > > <http://www.roble.com/docs/twcheck> and off-line backups it's
    > > impossible to compromise a system without being detected.
    >
    > Unless there's another step you're not mentioning (eg, rebooting to an
    > OS installed on a physically write-protected device, or remounting your
    > drive on another machine with a trusted OS) "impossible" is probably too
    > strong a term here.

    Too strong? It's simply incorrect. It is very well possible to compromise a
    box and backdoor it without even touching the file system. To use an example
    from the Win32 world, a lot of the recent worms entirely lived in memory,
    and as of backdoors/rootkits, think of the now famous suckit...

    Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
    Moral of the story: Don't ever assume you're invincible due to some product
    or piece of software you run.

    Of course it makes sense to check the integrity of the system, but it's just
    one layer of security. And also, Tripwire's not the only product out there,
    you may want to look at AIDE for an open source alternative. Tripwire sort
    of made me shake my head anyway, since their $$$ client/server suite
    transfers data from the client to the server in plain text... which is,
    erm, not exactly state of the art for a security product in 2003.

    > There's an implicit trust in using a system to integrity-hceck itself.

    Indeed.

    Cheers, Jan
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"