From owner-freebsd-security  Wed Jun 19 22:17:14 2002
Delivered-To: freebsd-security@freebsd.org
Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18])
	by hub.freebsd.org (Postfix) with ESMTP id 768E737B403
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 Jun 2002 22:17:10 -0700 (PDT)
Date: Thu, 20 Jun 2002 01:17:04 -0400
From: Klaus Steden <klaus@compt.com>
To: Maxlor <mail@maxlor.com>
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: preventing tampering with tripwire
Message-ID: <20020620011704.G589@cthulu.compt.com>
References: <27700541.1024450071@[10.0.0.16]> <2799555.1024487443@[10.0.0.16]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2799555.1024487443@[10.0.0.16]>; from mail@maxlor.com on Wed, Jun 19, 2002 at 11:50:43AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> 
> Putting the tripwire binary on an external, read only drive doesn't help.
> As I mentioned, an attacker who gained root could simply unmount the disk
> and place a tampered copy into the mountpoint dir. I would only notice this
> if I happened to have a closer look at df *and* the attacker was nice
> enough not to modify df too.
> 
True, but that doesn't make it useless - nor was it suggested as a whole
solution - only part of a number of steps.

It does offer you a set of tools that are guaranteed reliable, though, which
is a godsend at times like that.

Klaus

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message