Re: 'tripwire --check' does not require a passphrase

From: Walt Howard (howard@duh.chpc.utah.edu)
Date: 04/17/02 

From: howard@duh.chpc.utah.edu (Walt Howard)
Date: 17 Apr 2002 20:00:17 GMT

In article <a9k1u9$rgr$2@hermes.acs.unt.edu>, <srt@nospam.unt.edu> wrote:
>Luke Vogel <luke@bell-bird.com.au> wrote:
>
>> I believe that the database should be saved on "read only" media in
>> which case the compromise would fail.
>
>But the intruder could install a custom tripwire, which looks in an
>entirely different place for its database, so you'd be none-the-wiser
>by just looking at your database.

The documentation that came with my copy of tripwire pointed this out
and listed all the files that needed to be on the read-only media.
The list included the tripwire binary as well as the database.
I suppose one could argue about the invoking crontab as well....

>My solution, which probably has holes as well, is to keep MD5
>checksums of the tripwire binary and all configuration files on
>separate media (or a separate system in some cases). There are only a
>few critical files that need to be checked (seems like there are about
>5, but I didn't go back and look) which can be done pretty quickly.

In other words, sort of a mini-tripwire for the tripwire files.
How do you do the md5 on the md5 program itself? Your solution is
not that much different from standard tripwire, although it might
be small enough to fit on a floppy, which is a nice cheap read-only
medium. Certainly the standard tripwire database will not fit on a
floppy. 

-- 
Walt Howard
InterNet: whoward@ieee.org
BellNet: +1 801 585 0003

Relevant Pages

  • Re: tripwire --check does not require a passphrase
    ... >>separate media. ... > How do you do the md5 on the md5 program itself? ... > not that much different from standard tripwire, ... > be small enough to fit on a floppy, which is a nice cheap read-only ...
    (comp.security.unix)
  • Re: tripwire --check does not require a passphrase
    ... > Suppose one has a system configured with tripwire, ... > Because 'tripwire --check' does not require a passphrase, ... > than trying to update the database one day and discovering that his ... md5 value and database to removable media such as a floppy disk or zip disk. ...
    (comp.security.unix)
  • RE: tripwire config
    ... has tampered with your files, say if your server is a web server, a file ... I also don't quite understand what tripwire has to do with those billions of ... |the tripwire binaries or database so that rootkits, ... |box will alert the attacker to be extra cautious. ...
    (Security-Basics)
  • Re: tripwire - problems with database and policy update
    ... > Because i got an error message indicating that the policy file in use ... I am quite sure that i used this policy file during ... > the database init, but i made a lot of changes to the system after ... I went through this repeatedly when I first set up tripwire on my ...
    (comp.os.linux.security)
  • Re: Tripwire for Dummies
    ... > I read that it was best to move the tripwire database to a read-only ... > medium (floppy or cdrom). ... > and ended up with 3MB database. ... I've had a quick search for the documentation in question but can't find ...
    (FreeBSD-Security)