From owner-freebsd-security Thu Jun 20 16:17:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from flamingo.mail.pas.earthlink.net (flamingo.mail.pas.earthlink.net [207.217.120.232]) by hub.freebsd.org (Postfix) with ESMTP id 757C637B407 for ; Thu, 20 Jun 2002 16:17:04 -0700 (PDT) Received: from user-38ldms6.dialup.mindspring.com ([209.86.219.134] helo=earthlink.net) by flamingo.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17LBAb-0001rY-00; Thu, 20 Jun 2002 16:16:54 -0700 Message-ID: <3D126270.5050604@earthlink.net> Date: Thu, 20 Jun 2002 16:17:04 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Klaus Steden Cc: Maxlor , "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire References: <27700541.1024450071@[10.0.0.16]> <2799555.1024487443@[10.0.0.16]> <20020620011704.G589@cthulu.compt.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden wrote: >>Putting the tripwire binary on an external, read only drive doesn't help. >>As I mentioned, an attacker who gained root could simply unmount the disk >>and place a tampered copy into the mountpoint dir. I would only notice this >>if I happened to have a closer look at df *and* the attacker was nice >>enough not to modify df too. >> http://www.phrack.org/show.php?p=51&a=9 The above url is a decent article about ways to bypass systems. Sure it's from 1997, but it still has good insights and information. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message