Date: Wed, 19 Jun 2002 01:27:51 +0200 From: Maxlor <mail@maxlor.com> To: freebsd-security@freebsd.org Subject: preventing tampering with tripwire Message-ID: <27700541.1024450071@[10.0.0.16]>
next in thread | raw e-mail | index | archive | help
After being rooted recently (no idea how it happened - I was following the SAs and whatnot... and yes, I already formatted and reinstalled), I decided to install tripwire, so I would be alerted to something like that sooner. The thing installed fine and is running ok, there's just this one thing thats puzzling me: How do I prevent an intruder that somehow gains root on my machine from simply replacing the tripwire binary that always gives me an "everything ok" report? I've been considering putting the binary on a floppy or CD, but then an intruder could simply unmount the disk and place the replacement binaries in the mountpoint dir. I'm currently running tripwire as a nightly cronjob, and I'd rather not resort to mounting a disk, running tripwire from it manually, then unmounting it. You know, my lazyness and the effort needed to do this would lead to me eventually no longer doing it... So, how did you solve this problem? Greetings Maxlor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27700541.1024450071>