Re: aide or tripwireFrom: Kurt Seifried (firstname.lastname@example.org)
- Previous message: Hal Flynn: "Holiday update"
- In reply to: Elliot Tilley: "RE: aide or tripwire"
- Next in thread: Brian Cervenka: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kurt Seifried" <email@example.com> To: "Elliot Tilley" <firstname.lastname@example.org>, <email@example.com> Date: Thu, 20 Dec 2001 13:13:46 -0700
> >Which is essentially useless. The file can be set to be read only, with
> >essentially the same result. If the attacker gets root they can unset the
> >immutable flag and muck around with it.
> If you're running linux, download lcap and install it, you can then remove
> root's abiltity to, among other things, unset the immuatble bit. Doing
> may help with ensuring the integrity of the database.
Which leads to reboots to modify configuration files and the like, not
always a practical situation. Plus for tripwire/aide being forced to reboot
the system anytime you want to do a software upgrade (and thus update the
database) is also non optimal for most people. The append flag is really the
only useful extended attribute in my opinion. Systems like LIDS make this a
bit easier to manage, but are really only useful if you can lock down root's
ability to modify LIDS settings from console, meaning you need physical