From owner-freebsd-security Tue Jun 18 21:35:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 8751537B40B for ; Tue, 18 Jun 2002 21:35:46 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5J4Un9g041831; Wed, 19 Jun 2002 00:30:50 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Klaus Steden'" , "'Maxlor'" Cc: Subject: RE: preventing tampering with tripwire Date: Tue, 18 Jun 2002 23:34:46 -0500 Message-ID: <000b01c2174a$a75d8d20$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020618194958.K99167@cthulu.compt.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org AFAIK, you could use a simply floppy disk, possibly a secondary one if you use the primary one (they're only like $20 US now a days...). That make the setting and un-setting of read-only fairly simple. I don't remember how big tripwire (the executable) and its config files are, or you *could* use a ZIP disk. Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Klaus Steden Sent: Tuesday, June 18, 2002 6:50 PM To: Maxlor Cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire Read-only media is a good thing, too. It may be overkill (in the case of security, is there such a thing, though?), but you could re-purpose an old disk drive, add security tools you want to it, and jumper it read-only. That wouldn't necessarily prevent your database from being compromised, but your tools would be intact. With a read-only disk, I would ... - install the security tools you want on it - generate any baseline configuration data and signatures - make the disk physically read-only - run your nightly cron jobs, comparing your daily results against your read-only baseline. Of course, every time you upgrade something, you'll have to unjumper the disk, update your signatures, and rejumper it, but that's not really such a big deal when compared with what else you might have to do. :> Keeping known good copies of essential programs (ls, find, dd, netstat, route, ifconfig, mv, cp, df, etc.) on the read-only media is a good idea, too. You could accomplish this with CDROMs if you don't want to use a disk drive, but you lose the option of rewritability. hope this helps, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message