Re: aide or tripwire
From: Brian Cervenka (focus-linux@tracking.zerobelow.org)Date: 12/21/01
- Previous message: Philipp Schulte: "Re: aide or tripwire"
- Maybe in reply to: Robin Lynn Frank: "aide or tripwire"
- Next in thread: Kurt Seifried: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Dec 2001 16:53:12 -0800 (PST) From: Brian Cervenka <focus-linux@tracking.zerobelow.org> To: rdicaire@ardynet.com
> If it can be set, it can be unset. On a CDROM its on a read only
> filesystem.
Keep in mind, though, that some vulnerabilities only allow things like to
overwrite a file that is root writable, or to append to a file -- not all
vulns allow code execution directly. chattr would have helped in this
case.
Also, if they can turn off chattr +i, what's to stop them from doing
something like mounting a loopback device that looks like a cd-rom?
Also, you need to keep your entire tripwire binaries on that cd-rom, so
that they can not be trojaned to look at a different database.
Also, you need to keep your entire os on a cd-rom so that it can not be
trojaned to run a different binary.
This is all about mitigating risks...you're not going to eliminate them.
The chattr thing can help in some circumstances, so its not entirely
useless. But, yeah, it's probably a good idea to keep the database on
cd-rom.
--brian
- Previous message: Philipp Schulte: "Re: aide or tripwire"
- Maybe in reply to: Robin Lynn Frank: "aide or tripwire"
- Next in thread: Kurt Seifried: "Re: aide or tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
