From owner-freebsd-security  Sat Dec 12 13:20:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA27946
          for freebsd-security-outgoing; Sat, 12 Dec 1998 13:20:22 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27939
          for <security@FreeBSD.ORG>; Sat, 12 Dec 1998 13:20:20 -0800 (PST)
          (envelope-from adam@weathership.homeport.org)
Received: (from adam@localhost)
	by weathership.homeport.org (8.8.8/8.8.5) id QAA26507;
	Sat, 12 Dec 1998 16:35:32 -0500 (EST)
Message-ID: <19981212163532.A26497@weathership.homeport.org>
Date: Sat, 12 Dec 1998 16:35:32 -0500
From: Adam Shostack <adam@homeport.org>
To: Roger Marquis <marquis@roble.com>, security@FreeBSD.ORG
Subject: Re: tripwire was Re: append-only devices for logging
References: <199812120549.VAA18425@hub.freebsd.org> <Pine.SUN.3.96.981211224050.15866A-100000@roble.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93i
In-Reply-To: <Pine.SUN.3.96.981211224050.15866A-100000@roble.com>; from Roger Marquis on Fri, Dec 11, 1998 at 10:46:51PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Dec 11, 1998 at 10:46:51PM -0800, Roger Marquis wrote:
| James Wyatt <jwyatt@rwsystr.RWSystems.net> wrote:
| > This is a *great* idea! I had set the BIOS to boot w/o floppy and written 
| > the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB 

| Except when the floppy has bad sectors, and a large percent of floppys
| do, and sends the drive into an I/O loop that can't be fixed w/o a
| reboot.

It seems to me that thats a bug that ought to be fixed, that a bad
floppy can require a reboot.

| > how do you protect tripwire from modification? 
| 
| We keep the entire tripwire directory encrypted when not in use.

Encryption is not authentication.  I'd urge that you look to an
authentication algorithm, such as md5-hmac or pgp signing.  I
personally keep the tw databases on floppy; its cheaper than cd-rom,
and I've yet to be bitten by a needed reboot.  (Floppies are cheaper
because they're reusable; burn a CD, make some changes, burn a new
cd.)

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message