possible compromise or just misreading logs
Steve Francis
steve at expertcity.com
Mon Dec 8 09:26:07 PST 2003
jan.muenther at nruns.com wrote:
>>>Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
>>>
>>>
>>Wouldn't effect tripwire. In addition to MD5 you'd need to spoof
>>snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
>>spoof them for, at a minimum, the tripwire binary and its database
>>file(s).
>>
>>
>
>
>
And just adding my voice to the "tripwire is good to run, but not a
panacea" argument - if a machine gets a KLM loaded in a compromise,
there is no way tripwire can be assured it is verifying the binary it
asks the kernel for information about. Nothing to stop the compromised
kernel returning the original binary for all requests, except for those
needed to do Evil. If you get a root compromise so that a KLM can be
loaded, all bets are off. Short of that, I think tripwire makes it very
very hard to change files on a system w/o being detected. As long as
that is all the faith you put in tripwire, and use to verify just that
purpose and no more, its great, and it (or something like it, like AIDE)
is essential.
More information about the freebsd-security
mailing list