From owner-freebsd-security  Sat Dec 12 06:23:16 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA28668
          for freebsd-security-outgoing; Sat, 12 Dec 1998 06:23:16 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from heinlein.acpub.duke.edu (heinlein.acpub.duke.edu [152.3.233.9])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA28663
          for <freebsd-security@FreeBSD.ORG>; Sat, 12 Dec 1998 06:23:14 -0800 (PST)
          (envelope-from reese@chem.duke.edu)
Received: from louis.ourway.org (async249-65.async.duke.edu [152.3.249.65]) 
	by heinlein.acpub.duke.edu (8.8.5/Duke-4.6.0) with SMTP id JAA20886;
	Sat, 12 Dec 1998 09:18:51 -0500 (EST)
Message-Id: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu>
X-Sender: reese@chem.duke.edu
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 12 Dec 1998 09:18:49 -0500
To: freebsd-security@FreeBSD.ORG
From: Charles Reese <reese@chem.duke.edu>
Subject: Re: tripwire was Re: append-only devices for logging
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 02:45 PM 12/12/98 +0100, you wrote:
>On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote:
>> let me know when I've been compromised.  As the tripwire approach (MD5 etc.)
>> seems to be pretty solid it seems to boil down to how do you prevent
>> tampering with it and at the same time keep the machine maintainable without
>> having to go to single user mode?
>
>Answer: You put it in the kernel (including code to transfer it to
>another machine, with some algorithm to make the transfer
>non-modifiable - e.g, shared secret and hash), make _only_ the kernel
>immutable using the schg flag, and go to single user mode when you
>need to upgrade the kernel.
>
>Eivind.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
>
Sound like a great idea to me, the programming is over my head though.  Do
we have a volunteer? :-)

Cheers
Charlie Reese
One Unix to Rule them all, One Resolver to Find them,
One IP to Name them all, In the Zone that Binds them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message