Date: Mon, 8 Dec 2003 08:04:28 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs Message-ID: <20031208160428.DDF8FDAE9A@mx7.roble.com> In-Reply-To: <20031208123501.GA87554@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > No production environment should be without Tripwire (1.3 is my > > > favorite version). With the right wrapper script > > > <http://www.roble.com/docs/twcheck>; and off-line backups it's > > > impossible to compromise a system without being detected. > > > > Unless there's another step you're not mentioning (eg, rebooting to an > > OS installed on a physically write-protected device, or remounting your > > drive on another machine with a trusted OS) "impossible" is probably too > > strong a term here. > > Too strong? It's simply incorrect. It is very well possible to compromise a > box and backdoor it without even touching the file system. To use an example > from the Win32 world, a lot of the recent worms entirely lived in memory, > and as of backdoors/rootkits, think of the now famous suckit... Sure, unless you're running an Orange book A level system it's impossible to secure anything. But that's a rhetorical argument. We're talking about filesystems here. > Apart from that, there are even tools (LKM based) which spoof MD5 checksums. Wouldn't effect tripwire. In addition to MD5 you'd need to spoof snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to spoof them for, at a minimum, the tripwire binary and its database file(s). -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208160428.DDF8FDAE9A>