From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 04:37:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6393B16A4CE for ; Mon, 8 Dec 2003 04:37:24 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D184443FDD for ; Mon, 8 Dec 2003 04:37:22 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATKdc-0007uf-00; Mon, 08 Dec 2003 13:37:20 +0100 Received: from [212.202.65.240] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATKdY-0006dL-00; Mon, 08 Dec 2003 13:37:16 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id 2262434E; Mon, 8 Dec 2003 13:35:03 +0100 (CET) Date: Mon, 8 Dec 2003 13:35:01 +0100 From: jan.muenther@nruns.com To: Jan Grant Message-ID: <20031208123501.GA87554@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031207204521.195E9DAC92@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org cc: Roger Marquis Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 12:37:24 -0000 Hello, > > No production environment should be without Tripwire (1.3 is my > > favorite version). With the right wrapper script > > and off-line backups it's > > impossible to compromise a system without being detected. > > Unless there's another step you're not mentioning (eg, rebooting to an > OS installed on a physically write-protected device, or remounting your > drive on another machine with a trusted OS) "impossible" is probably too > strong a term here. Too strong? It's simply incorrect. It is very well possible to compromise a box and backdoor it without even touching the file system. To use an example from the Win32 world, a lot of the recent worms entirely lived in memory, and as of backdoors/rootkits, think of the now famous suckit... Apart from that, there are even tools (LKM based) which spoof MD5 checksums. Moral of the story: Don't ever assume you're invincible due to some product or piece of software you run. Of course it makes sense to check the integrity of the system, but it's just one layer of security. And also, Tripwire's not the only product out there, you may want to look at AIDE for an open source alternative. Tripwire sort of made me shake my head anyway, since their $$$ client/server suite transfers data from the client to the server in plain text... which is, erm, not exactly state of the art for a security product in 2003. > There's an implicit trust in using a system to integrity-hceck itself. Indeed. Cheers, Jan