From owner-freebsd-security Tue Jun 18 16:28: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by hub.freebsd.org (Postfix) with SMTP id F13C437B408 for ; Tue, 18 Jun 2002 16:28:01 -0700 (PDT) Received: (qmail 65528 invoked by uid 92); 18 Jun 2002 23:27:54 -0000 Received: from merlin.intranet (HELO ?10.0.0.16?) (10.0.0.16) by midgard.intranet with SMTP; 18 Jun 2002 23:27:54 -0000 Date: Wed, 19 Jun 2002 01:27:51 +0200 From: Maxlor To: freebsd-security@freebsd.org Subject: preventing tampering with tripwire Message-ID: <27700541.1024450071@[10.0.0.16]> X-Mailer: Mulberry/2.2.1 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After being rooted recently (no idea how it happened - I was following the SAs and whatnot... and yes, I already formatted and reinstalled), I decided to install tripwire, so I would be alerted to something like that sooner. The thing installed fine and is running ok, there's just this one thing thats puzzling me: How do I prevent an intruder that somehow gains root on my machine from simply replacing the tripwire binary that always gives me an "everything ok" report? I've been considering putting the binary on a floppy or CD, but then an intruder could simply unmount the disk and place the replacement binaries in the mountpoint dir. I'm currently running tripwire as a nightly cronjob, and I'd rather not resort to mounting a disk, running tripwire from it manually, then unmounting it. You know, my lazyness and the effort needed to do this would lead to me eventually no longer doing it... So, how did you solve this problem? Greetings Maxlor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message