Date: Tue, 18 Jun 2002 23:40:20 +0000 From: Baldur Gislason <baldur@foo.is> To: Maxlor <mail@maxlor.com> Cc: freebsd-security@freebsd.org Subject: Re: preventing tampering with tripwire Message-ID: <20020618234139.D1F422744@tesla.foo.is> In-Reply-To: <27700541.1024450071@[10.0.0.16]> References: <27700541.1024450071@[10.0.0.16]>
next in thread | previous in thread | raw e-mail | index | archive | help
use kern.securelevel 1 or higher and man chflags, set the tripwire binary schg so it cannot be tampered with. Of course there's no such thing as absolute security, but this moves you just a step closer. Unless the intruder performs a reboot and makes his changes before the kernel securelevel is raised on boot. Baldur On Tuesday 18 June 2002 23:27, you wrote: > After being rooted recently (no idea how it happened - I was following the > SAs and whatnot... and yes, I already formatted and reinstalled), I decided > to install tripwire, so I would be alerted to something like that sooner. > > The thing installed fine and is running ok, there's just this one thing > thats puzzling me: > > How do I prevent an intruder that somehow gains root on my machine from > simply replacing the tripwire binary that always gives me an "everything > ok" report? > > I've been considering putting the binary on a floppy or CD, but then an > intruder could simply unmount the disk and place the replacement binaries > in the mountpoint dir. > > I'm currently running tripwire as a nightly cronjob, and I'd rather not > resort to mounting a disk, running tripwire from it manually, then > unmounting it. You know, my lazyness and the effort needed to do this would > lead to me eventually no longer doing it... > > So, how did you solve this problem? > > Greetings > Maxlor > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020618234139.D1F422744>