From owner-freebsd-security@FreeBSD.ORG  Mon Dec  8 09:26:07 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 11BA816A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 09:26:07 -0800 (PST)
Received: from csmail.commserv.ucsb.edu (cspdc.commserv.ucsb.edu
	[128.111.251.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5C4C943FBD
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 09:26:02 -0800 (PST)
	(envelope-from steve@expertcity.com)
Received: from expertcity.com ([68.6.35.15]) by csmail.commserv.ucsb.edu
          (Netscape Messaging Server 3.62)  with ESMTP id 315;
          Mon, 8 Dec 2003 09:26:00 -0800
Message-ID: <3FD4B58B.9020308@expertcity.com>
Date: Mon, 08 Dec 2003 09:31:55 -0800
From: Steve Francis <steve@expertcity.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jan.muenther@nruns.com
References: <20031207200130.C4B1216A4E0@hub.freebsd.org>
	<Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk>
	<20031208123501.GA87554@ergo.nruns.com>
	<20031208160428.DDF8FDAE9A@mx7.roble.com>
	<20031208164804.GA92121@ergo.nruns.com>
In-Reply-To: <20031208164804.GA92121@ergo.nruns.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
cc: Roger Marquis <marquis@roble.com>
Subject: Re: possible compromise or just misreading logs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2003 17:26:07 -0000

jan.muenther@nruns.com wrote:

>>>Apart from that, there are even tools (LKM based) which spoof MD5 checksums.
>>>      
>>>
>>Wouldn't effect tripwire.  In addition to MD5 you'd need to spoof
>>snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
>>spoof them for, at a minimum, the tripwire binary and its database
>>file(s).
>>    
>>
>
>  
>
And just adding my voice to the "tripwire is good to run, but not a 
panacea" argument - if a machine gets a KLM loaded in a compromise, 
there is no way tripwire can be assured it is verifying the binary it 
asks the kernel for information about. Nothing to stop the compromised 
kernel returning the original binary for all requests, except for those 
needed to do Evil.  If you get a root compromise so that a KLM can be 
loaded, all bets are off. Short of that, I think tripwire makes it very 
very hard to change files on a system w/o being detected. As long as 
that is all the faith you put in tripwire, and use to verify just that 
purpose and no more, its great, and it (or something like it, like AIDE) 
is essential.