From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 08:50:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D87EF16A4CE for ; Mon, 8 Dec 2003 08:50:22 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D752743FCB for ; Mon, 8 Dec 2003 08:50:20 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATOaS-0003IW-00; Mon, 08 Dec 2003 17:50:20 +0100 Received: from [212.202.65.240] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATOaS-0003TL-00; Mon, 08 Dec 2003 17:50:20 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id DF8F2CF; Mon, 8 Dec 2003 17:48:05 +0100 (CET) Date: Mon, 8 Dec 2003 17:48:04 +0100 From: jan.muenther@nruns.com To: Roger Marquis Message-ID: <20031208164804.GA92121@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com> User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 16:50:23 -0000 > Sure, unless you're running an Orange book A level system it's > impossible to secure anything. But that's a rhetorical argument. I guess you misunderstood me here. I wasn't arguing that any system can be broken into - true, but not the point here - but that it's possible to do it without getting noticed, even if you run Tripwire or a similar product. > We're talking about filesystems here. Well, okay - if we focus on that point alone, Tripwire surely does a good job. I was just opposing the apodictic statement that it's impossible to break into a system without Tripwire triggering an alert. I wasn't saying that it's superfluous to run, just that you shouldn't neglect all other possible and necessary security measures around it. Again, don't get wrong, I'm not one of the bigots who likes to slag off any security safeguard by saying it can be circumvented. All I was stating is that even when you have all that in place, you should still stick to best practices in every other regard. > > Apart from that, there are even tools (LKM based) which spoof MD5 checksums. > Wouldn't effect tripwire. In addition to MD5 you'd need to spoof > snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to > spoof them for, at a minimum, the tripwire binary and its database > file(s). Guess that depends on the Tripwire version, too... see http://www.phrack.com/show.php?p=43&a=14 Cheers, J.