Date: Fri, 11 Dec 1998 09:27:03 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Charles Reese <reese@chem.duke.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging Message-ID: <Pine.BSF.3.96.981211091935.24203A-100000@fledge.watson.org> In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
My only concern about tripwire is that it may inspire too much confidence. You don't get the smart ones with tripwire, only the script kiddies. And any time someone releases a better script-kiddie-tool, you miss them also. The real solution is presumably a combination of securelevels and readonly media for your binaries, not to mention bug-free OS software, etc. That and physical access to the machine to replace the read-only media when you perform upgrades :). The next closest thing is using a serial console and access to the kernel to mediate return to a non-securelevel to allow modification of key system binaries and config files without the intervention of schg; unless you protect against use of the debugger, root can always hijack your applications if you have some process-invoked mechanism for getting to single user mode otherwise. Of course, all that (the exploit) is real hard to program the first time--but once it's been done once or twice, someone is going to release the code to automate it :). A smart hacker doesn't trojan login or inetd in a noticeable way;there are plenty of ways to get modify it without md5 checksums catching you, or to get at the data other ways. Don't let this stop you from using tripwire; just be aware that tripwire isn't the last word in intrusion detection :). On Thu, 10 Dec 1998, Charles Reese wrote: > At 01:12 PM 12/10/98 -0600, you wrote: > >> Jim Yuill wrote: > >> I've been looking for an append-only device for logging, which a remote > >> hacker (with root access) can not erase or alter. Other than a > >> line-printer, are there any such devices that actually work with Unix? > > > >On Thu, 10 Dec 1998, Mark Newton wrote: > >> Files fit the bill on FreeBSD. Set your securelevel to 2 and > >> apply the "sappnd" flag (using chflags) to any files you wish > >> to set as "append-only". Not even root can remove the append-only > >> flag unless first bringing the system to a lower security level, > >> which requires physical access to the console for single user mode > >> operation. > > > >For the truly paranoid: How many of you audit your system scripts on > >reboot? If I wanted to erase my tracks (and thought you might not know I > >was there or wanted to hide how long I'd been there), I could tamper with > >scripts to kill logs next bringup. <PLUG>Tripwire(tm) is nearly perfect > >for watching rc.* changes and such.</PLUG> Many of us just take the > >machine down, go '-s', blindly run our single-user-mode-admin-scripts, > >and go multiuser. > > > >This does have better logging bandwidth than serial/parallel port > >logging, though. (^_^) Jy@ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. > > Cheers > Charlie Reese > One Unix to Rule them all, One Resolver to Find them, > One IP to Name them all, In the Zone that Binds them. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981211091935.24203A-100000>