Re: aide or tripwire

From: Kurt Seifried (bugtraq@seifried.org)
Date: 12/20/01


From: "Kurt Seifried" <bugtraq@seifried.org>
To: "Elliot Tilley" <elliot_tilley@citadel.com.au>, <focus-linux@securityfocus.com>
Date: Thu, 20 Dec 2001 13:13:46 -0700


> >Which is essentially useless. The file can be set to be read only, with
> >essentially the same result. If the attacker gets root they can unset the
> >immutable flag and muck around with it.
>
> If you're running linux, download lcap and install it, you can then remove
> root's abiltity to, among other things, unset the immuatble bit. Doing
that
> may help with ensuring the integrity of the database.

Which leads to reboots to modify configuration files and the like, not
always a practical situation. Plus for tripwire/aide being forced to reboot
the system anytime you want to do a software upgrade (and thus update the
database) is also non optimal for most people. The append flag is really the
only useful extended attribute in my opinion. Systems like LIDS make this a
bit easier to manage, but are really only useful if you can lock down root's
ability to modify LIDS settings from console, meaning you need physical
access.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/