possible compromise or just misreading logs
Roger Marquis
marquis at roble.com
Mon Dec 8 08:04:30 PST 2003
> > > No production environment should be without Tripwire (1.3 is my
> > > favorite version). With the right wrapper script
> > > <http://www.roble.com/docs/twcheck> and off-line backups it's
> > > impossible to compromise a system without being detected.
> >
> > Unless there's another step you're not mentioning (eg, rebooting to an
> > OS installed on a physically write-protected device, or remounting your
> > drive on another machine with a trusted OS) "impossible" is probably too
> > strong a term here.
>
> Too strong? It's simply incorrect. It is very well possible to compromise a
> box and backdoor it without even touching the file system. To use an example
> from the Win32 world, a lot of the recent worms entirely lived in memory,
> and as of backdoors/rootkits, think of the now famous suckit...
Sure, unless you're running an Orange book A level system it's
impossible to secure anything. But that's a rhetorical argument.
We're talking about filesystems here.
> Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
Wouldn't effect tripwire. In addition to MD5 you'd need to spoof
snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
spoof them for, at a minimum, the tripwire binary and its database
file(s).
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
More information about the freebsd-security
mailing list