From owner-freebsd-security Tue Jun 18 16:42: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 84AFF37B408 for ; Tue, 18 Jun 2002 16:41:46 -0700 (PDT) Received: from there (eniac.foo.is [192.168.1.25]) by tesla.foo.is (Postfix) with SMTP id D1F422744; Tue, 18 Jun 2002 23:41:39 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Maxlor Subject: Re: preventing tampering with tripwire Date: Tue, 18 Jun 2002 23:40:20 +0000 X-Mailer: KMail [version 1.3.2] References: <27700541.1024450071@[10.0.0.16]> In-Reply-To: <27700541.1024450071@[10.0.0.16]> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020618234139.D1F422744@tesla.foo.is> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org use kern.securelevel 1 or higher and man chflags, set the tripwire binary schg so it cannot be tampered with. Of course there's no such thing as absolute security, but this moves you just a step closer. Unless the intruder performs a reboot and makes his changes before the kernel securelevel is raised on boot. Baldur On Tuesday 18 June 2002 23:27, you wrote: > After being rooted recently (no idea how it happened - I was following the > SAs and whatnot... and yes, I already formatted and reinstalled), I decided > to install tripwire, so I would be alerted to something like that sooner. > > The thing installed fine and is running ok, there's just this one thing > thats puzzling me: > > How do I prevent an intruder that somehow gains root on my machine from > simply replacing the tripwire binary that always gives me an "everything > ok" report? > > I've been considering putting the binary on a floppy or CD, but then an > intruder could simply unmount the disk and place the replacement binaries > in the mountpoint dir. > > I'm currently running tripwire as a nightly cronjob, and I'd rather not > resort to mounting a disk, running tripwire from it manually, then > unmounting it. You know, my lazyness and the effort needed to do this would > lead to me eventually no longer doing it... > > So, how did you solve this problem? > > Greetings > Maxlor > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message