Re: Tripwire
From: Mihai Osian (zzz_at_zzz.com)
Date: 05/19/05
- Next message: david.wu_at_swabplus.com: "IPTABLES CONFIGURATION? HELP"
- Previous message: wolfee: "Re: Reset root password"
- In reply to: Rick Moen: "Re: Tripwire"
- Next in thread: Rick Moen: "Re: Tripwire"
- Reply: Rick Moen: "Re: Tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 May 2005 18:51:49 +0200
Rick Moen wrote:
> Mihai Osian <zzz@zzz.com> wrote:
>
>
>> If an intruder can modify libc then I suppose he can modify anything
>>else on the system, right ? He could replace tripwire altogether or just
>>filter its output. Once a cracker gets root access I don't think there
>>is a 100% sure method to detect him from that machine. I'm not a
>>security expert, so correct me if I'm wrong.
>
>
> I would have to go re-read a lot of documentation to give you a proper
> answer, so instead I'll give you a breezy overview: Tripwire is
> normally statically compiled; is recommended to be run from read-only
> media; and has elaborate cryptographic self-checks of itself, its
> databases, its policy files, and its reports.
>
> And anyone who promises "a 100% sure method" is trying to sell you
> something.
>
I did read the documentation :). Let me rephrase the "recommendation"
then: either you burn tripwire on a CD, or tripwire's cryptographic
self-checking isn't worth much if the root is compromised. Don't you
agree with me ?
Mihai
- Next message: david.wu_at_swabplus.com: "IPTABLES CONFIGURATION? HELP"
- Previous message: wolfee: "Re: Reset root password"
- In reply to: Rick Moen: "Re: Tripwire"
- Next in thread: Rick Moen: "Re: Tripwire"
- Reply: Rick Moen: "Re: Tripwire"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
