possible compromise or just misreading logs
jan.muenther at nruns.com
jan.muenther at nruns.com
Mon Dec 8 04:37:24 PST 2003
Hello,
> > No production environment should be without Tripwire (1.3 is my
> > favorite version). With the right wrapper script
> > <http://www.roble.com/docs/twcheck> and off-line backups it's
> > impossible to compromise a system without being detected.
>
> Unless there's another step you're not mentioning (eg, rebooting to an
> OS installed on a physically write-protected device, or remounting your
> drive on another machine with a trusted OS) "impossible" is probably too
> strong a term here.
Too strong? It's simply incorrect. It is very well possible to compromise a
box and backdoor it without even touching the file system. To use an example
from the Win32 world, a lot of the recent worms entirely lived in memory,
and as of backdoors/rootkits, think of the now famous suckit...
Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
Moral of the story: Don't ever assume you're invincible due to some product
or piece of software you run.
Of course it makes sense to check the integrity of the system, but it's just
one layer of security. And also, Tripwire's not the only product out there,
you may want to look at AIDE for an open source alternative. Tripwire sort
of made me shake my head anyway, since their $$$ client/server suite
transfers data from the client to the server in plain text... which is,
erm, not exactly state of the art for a security product in 2003.
> There's an implicit trust in using a system to integrity-hceck itself.
Indeed.
Cheers, Jan
More information about the freebsd-security
mailing list