Date: Tue, 18 Jun 2002 17:15:52 -0700 (PDT) From: twig les <twigles@yahoo.com> To: Klaus Steden <klaus@compt.com>, Maxlor <mail@maxlor.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire Message-ID: <20020619001552.79019.qmail@web10108.mail.yahoo.com> In-Reply-To: <20020618194958.K99167@cthulu.compt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You can also write a script to grab the signature of the tripwire binary itself from a remote server. A co-worker of mine is doing something like this right now and I'll ask him about it, but my gut says it'll be hush-hush secret. Don't forget to direct syslog output to a line printer BTW. ;) --- Klaus Steden <klaus@compt.com> wrote: > Read-only media is a good thing, too. > > It may be overkill (in the case of security, is > there such a thing, though?), > but you could re-purpose an old disk drive, add > security tools you want to it, > and jumper it read-only. That wouldn't necessarily > prevent your database from > being compromised, but your tools would be intact. > > With a read-only disk, I would ... > > - install the security tools you want on it > - generate any baseline configuration data and > signatures > - make the disk physically read-only > - run your nightly cron jobs, comparing your daily > results against your > read-only baseline. > > Of course, every time you upgrade something, you'll > have to unjumper the disk, > update your signatures, and rejumper it, but that's > not really such a big > deal when compared with what else you might have to > do. :> > > Keeping known good copies of essential programs (ls, > find, dd, netstat, route, > ifconfig, mv, cp, df, etc.) on the read-only media > is a good idea, too. > > You could accomplish this with CDROMs if you don't > want to use a disk drive, > but you lose the option of rewritability. > > hope this helps, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020619001552.79019.qmail>