From owner-freebsd-security Wed Jun 19 5:18:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 7152B37B40D for ; Wed, 19 Jun 2002 05:18:18 -0700 (PDT) Received: (qmail 22914 invoked by uid 1000); 19 Jun 2002 12:18:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jun 2002 12:18:12 -0000 Date: Wed, 19 Jun 2002 05:18:11 -0700 (PDT) From: Jason Stone X-X-Sender: To: Maxlor Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire In-Reply-To: <2799555.1024487443@[10.0.0.16]> Message-ID: <20020619050434.Q19920-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Why do I like this solution a lot? Even if my system was rooted, and > the attacker had enough skills to replace each binary with a > compromised version that would look the same to me, he couldn't do so > without dropping to single user mode. And since he'd have to have > physical access to the machine for that, I think I can say the machine > gained some reasonable security against rootkits overall. A couple of random thoughts: 1) All the 31337 rootkits use kld's and don't bother with trojans, and, as has already been pointed out on this list, /modules/* are _not_ set schg bu default. 2) FYI, at least two independent groups have implemented the equivalent of tripwire in the kernel - the kernel does something like read in the sha1 sums at boot time and then every time a binary is run, its sha1 is computed and, if it doesn't match the in-memory sha1 from boot time, the binary will not be run. http://www.trojanproof.org/ is one project and the other I don't remember, but a quick slashdot or google search would turn it up I'm sure. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9EHaEswXMWWtptckRAoD9AKDB3JZ5z7KcjXd3cfHuvdD0FUVTawCgnyeS p25Ezk9d56oHVCKrsGK2h5k= =3ABc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message