From owner-freebsd-security@FreeBSD.ORG  Mon Dec  8 08:04:29 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F04B416A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 08:04:29 -0800 (PST)
Received: from mx7.roble.com (mx7.roble.com [206.40.34.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38CF343F93
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 08:04:29 -0800 (PST)
	(envelope-from marquis@roble.com)
Date: Mon, 8 Dec 2003 08:04:28 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20031208123501.GA87554@ergo.nruns.com>
References: <20031207200130.C4B1216A4E0@hub.freebsd.org>
	<Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk>
	<20031208123501.GA87554@ergo.nruns.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20031208160428.DDF8FDAE9A@mx7.roble.com>
Subject: Re: possible compromise or just misreading logs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2003 16:04:30 -0000

> > > No production environment should be without Tripwire (1.3 is my
> > > favorite version).  With the right wrapper script
> > > <http://www.roble.com/docs/twcheck> and off-line backups it's
> > > impossible to compromise a system without being detected.
> >
> > Unless there's another step you're not mentioning (eg, rebooting to an
> > OS installed on a physically write-protected device, or remounting your
> > drive on another machine with a trusted OS) "impossible" is probably too
> > strong a term here.
>
> Too strong? It's simply incorrect. It is very well possible to compromise a
> box and backdoor it without even touching the file system. To use an example
> from the Win32 world, a lot of the recent worms entirely lived in memory,
> and as of backdoors/rootkits, think of the now famous suckit...

Sure, unless you're running an Orange book A level system it's
impossible to secure anything.  But that's a rhetorical argument.
We're talking about filesystems here.

> Apart from that, there are even tools (LKM based) which spoof MD5 checksums.

Wouldn't effect tripwire.  In addition to MD5 you'd need to spoof
snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
spoof them for, at a minimum, the tripwire binary and its database
file(s).

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/