From owner-freebsd-security Sat Dec 12 05:46:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA24650 for freebsd-security-outgoing; Sat, 12 Dec 1998 05:46:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA24645 for ; Sat, 12 Dec 1998 05:46:14 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA19907; Sat, 12 Dec 1998 14:46:02 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA24100; Sat, 12 Dec 1998 14:45:58 +0100 (MET) Message-ID: <19981212144557.O5444@follo.net> Date: Sat, 12 Dec 1998 14:45:57 +0100 From: Eivind Eklund To: Charles Reese , freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging References: <1.5.4.32.19981211125822.006d10e8@chem.duke.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <1.5.4.32.19981211125822.006d10e8@chem.duke.edu>; from Charles Reese on Fri, Dec 11, 1998 at 07:58:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote: > let me know when I've been compromised. As the tripwire approach (MD5 etc.) > seems to be pretty solid it seems to boil down to how do you prevent > tampering with it and at the same time keep the machine maintainable without > having to go to single user mode? Answer: You put it in the kernel (including code to transfer it to another machine, with some algorithm to make the transfer non-modifiable - e.g, shared secret and hash), make _only_ the kernel immutable using the schg flag, and go to single user mode when you need to upgrade the kernel. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message