From owner-freebsd-security  Tue Jun 18 16:50:23 2002
Delivered-To: freebsd-security@freebsd.org
Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18])
	by hub.freebsd.org (Postfix) with ESMTP id EB49237B40B
	for <freebsd-security@FreeBSD.ORG>; Tue, 18 Jun 2002 16:50:04 -0700 (PDT)
Date: Tue, 18 Jun 2002 19:49:59 -0400
From: Klaus Steden <klaus@compt.com>
To: Maxlor <mail@maxlor.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: preventing tampering with tripwire
Message-ID: <20020618194958.K99167@cthulu.compt.com>
References: <27700541.1024450071@[10.0.0.16]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <27700541.1024450071@[10.0.0.16]>; from mail@maxlor.com on Wed, Jun 19, 2002 at 01:27:51AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Read-only media is a good thing, too.

It may be overkill (in the case of security, is there such a thing, though?),
but you could re-purpose an old disk drive, add security tools you want to it,
and jumper it read-only. That wouldn't necessarily prevent your database from
being compromised, but your tools would be intact.

With a read-only disk, I would ...

- install the security tools you want on it
- generate any baseline configuration data and signatures
- make the disk physically read-only
- run your nightly cron jobs, comparing your daily results against your
read-only baseline.

Of course, every time you upgrade something, you'll have to unjumper the disk,
update your signatures, and rejumper it, but that's not really such a big
deal when compared with what else you might have to do. :>

Keeping known good copies of essential programs (ls, find, dd, netstat, route,
ifconfig, mv, cp, df, etc.) on the read-only media is a good idea, too.

You could accomplish this with CDROMs if you don't want to use a disk drive,
but you lose the option of rewritability.

hope this helps,
Klaus

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message