From owner-freebsd-security Thu Dec 10 19:49:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA06388 for freebsd-security-outgoing; Thu, 10 Dec 1998 19:49:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA06382 for ; Thu, 10 Dec 1998 19:49:29 -0800 (PST) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([209.197.192.108]) (2394 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Thu, 10 Dec 1998 21:42:30 -0600 (CST) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Thu, 10 Dec 1998 21:42:25 -0600 (CST) From: James Wyatt To: Charles Reese cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt rambled again: >reboot? If I wanted to erase my tracks (and thought you might not know I >was there or wanted to hide how long I'd been there), I could tamper with >scripts to kill logs next bringup. Tripwire(tm) is nearly perfect >for watching rc.* changes and such. Many of us just take the >machine down, go '-s', blindly run our single-user-mode-admin-scripts, >and go multiuser. On Thu, 10 Dec 1998, Charles Reese wrote: > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. This is a *great* idea! I had set the BIOS to boot w/o floppy and written the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB or 2.88 MB, depending on how much you spend for a floppy drive. I guess a zip disk would work too, but I was given a parallel zip which seems to be unsupported on FreeBSD. 8{( btw: You might implement this with something that, when called by the right host, performed a tripwire scan and dumped it back to the calling host. The calling host need not *receive* connects, just return the data. Of fourse, a cracker might just replace the program with one that returned the 'right' result, rather than perform the scan... I guess you could also replace the tripwire executables, but how do you protect tripwire from modification? I knida miss the drives on my old Tandy 6000 that I could write-protect by hand! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message