From owner-freebsd-security@FreeBSD.ORG  Mon Dec  8 08:46:40 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 880DE16A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 08:46:40 -0800 (PST)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC42143FEC
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 08:46:27 -0800 (PST)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id hB8GkQDa035170
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
	verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA);
	Mon, 8 Dec 2003 11:46:26 -0500 (EST)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id hB8GkQIX035167;
	Mon, 8 Dec 2003 11:46:26 -0500 (EST)
	(envelope-from wollman)
Date: Mon, 8 Dec 2003 11:46:26 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200312081646.hB8GkQIX035167@khavrinen.lcs.mit.edu>
To: Roger Marquis <marquis@roble.com>
In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com>
References: <20031207200130.C4B1216A4E0@hub.freebsd.org>
	<Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk>
	<20031208123501.GA87554@ergo.nruns.com>
	<20031208160428.DDF8FDAE9A@mx7.roble.com>
X-Spam-Score: -19.8 ()
	IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES
X-Scanned-By: MIMEDefang 2.37
X-Mailman-Approved-At: Tue, 09 Dec 2003 07:43:38 -0800
cc: freebsd-security@freebsd.org
Subject: Re: possible compromise or just misreading logs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2003 16:46:40 -0000

<<On Mon, 8 Dec 2003 08:04:28 -0800 (PST), Roger Marquis <marquis@roble.com> said:

> Wouldn't effect tripwire.  In addition to MD5 you'd need to spoof
> snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
> spoof them for, at a minimum, the tripwire binary and its database
> file(s).

Trivial -- all you have to do is keep backup copies of all the files
replaced, and have the kernel redirect tripwire's access to the
originals.

-GAWollman