From owner-freebsd-security  Fri Dec 11 23:34:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA28424
          for freebsd-security-outgoing; Fri, 11 Dec 1998 23:34:37 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from po8.andrew.cmu.edu (PO8.ANDREW.CMU.EDU [128.2.10.108])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA28418
          for <security@FreeBSD.ORG>; Fri, 11 Dec 1998 23:34:35 -0800 (PST)
          (envelope-from tcrimi+@andrew.cmu.edu)
Received: (from postman@localhost) by po8.andrew.cmu.edu (8.8.5/8.8.2) id CAA18069 for security@FreeBSD.ORG; Sat, 12 Dec 1998 02:34:22 -0500 (EST)
Received: via switchmail; Sat, 12 Dec 1998 02:34:21 -0500 (EST)
Received: from unix14.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q000/QF.YqQVlsm00YUq01p2k0>;
          Sat, 12 Dec 1998 02:34:16 -0500 (EST)
Received: from unix14.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr18/tcrimi/.Outgoing/QF.4qQVlsC00YUq0lKqo0>;
          Sat, 12 Dec 1998 02:34:16 -0500 (EST)
Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix14.andrew.cmu.edu.sun4m.54
          via MS.5.6.unix14.andrew.cmu.edu.sun4_51;
          Sat, 12 Dec 1998 02:34:16 -0500 (EST)
Message-ID: <8qQVls_00YUq0lKqg0@andrew.cmu.edu>
Date: Sat, 12 Dec 1998 02:34:16 -0500 (EST)
From: Thomas Valentino Crimi <tcrimi+@andrew.cmu.edu>
To: security@FreeBSD.ORG
Subject: Re: tripwire was Re: append-only devices for logging
In-Reply-To: <Pine.SUN.3.96.981211224050.15866A-100000@roble.com>
References: <Pine.SUN.3.96.981211224050.15866A-100000@roble.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Excerpts from FreeBSD-Security: 11-Dec-98 Re: tripwire was Re: append..
by Roger Marquis@roble.com 
>> how do you protect tripwire from modification? 
> 
>We keep the entire tripwire directory encrypted when not in use.

  This latest discussion has had me toying with the idea of an NFS R/O
mount for tripwire use, it has the obvious advantages of complete
protection for tripwire and its datafiles.  The main points of weakness
that need to be addressed are:

  You need to trust your mount_nfs command, as well as the kernel 
  Making sure the remote connection isn't tampered with.

 You can load mount_nfs off a floppy, and, in general I think that
having to trust the kernel is a necessity.
 
 Where I begin to doubt is what to do for the network connection.  I'm
uncertain how feasable an attack on the network is, but UDP mode seems
especilly volnerable to a hacked machine injecting data, I'm not sure
how NFS woudl react to this at all.

  It would appear to be a good medium security measure, a network attack
seems infeasable or at least easilly detectable were it to exist,
forwarding  a TCP NFS over ssh is tempting, but then you have to trust
ssh (etc).  Any comments on this?

 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message