RE: aide or tripwire

From: Elliot Tilley (elliot_tilley@citadel.com.au)
Date: 12/20/01


From: Elliot Tilley <elliot_tilley@citadel.com.au>
To: focus-linux@securityfocus.com
Date: Thu, 20 Dec 2001 14:57:33 +1100


-----Original Message-----
From: bugtraq@seifried.org [mailto:bugtraq@seifried.org]
Sent: Thursday, 20 December 2001 6:50
To: Rob 'Feztaa' Park
Cc: focus-linux@securityfocus.com
Subject: Re: aide or tripwire

>Which is essentially useless. The file can be set to be read only, with
>essentially the same result. If the attacker gets root they can unset the
>immutable flag and muck around with it.

If you're running linux, download lcap and install it, you can then remove
root's abiltity to, among other things, unset the immuatble bit. Doing that
may help with ensuring the integrity of the database.

There's a good article on SecurtiyFocus about the security features of the
ext2 filesystem that explains the details. Filesystem Security - ext2
extended attributes
http://www.securityfocus.com/infocus/1407

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system administrator, mailto:msw@citadel.com.au.

Feel free to visit the Citadel Securix website! Click below.
http://www.citadel.com.au
**********************************************************************