Date: Mon, 8 Dec 2003 13:35:01 +0100 From: jan.muenther@nruns.com To: Jan Grant <Jan.Grant@bristol.ac.uk> Cc: Roger Marquis <marquis@roble.com> Subject: Re: possible compromise or just misreading logs Message-ID: <20031208123501.GA87554@ergo.nruns.com> In-Reply-To: <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031207204521.195E9DAC92@mx7.roble.com> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > > No production environment should be without Tripwire (1.3 is my > > favorite version). With the right wrapper script > > <http://www.roble.com/docs/twcheck> and off-line backups it's > > impossible to compromise a system without being detected. > > Unless there's another step you're not mentioning (eg, rebooting to an > OS installed on a physically write-protected device, or remounting your > drive on another machine with a trusted OS) "impossible" is probably too > strong a term here. Too strong? It's simply incorrect. It is very well possible to compromise a box and backdoor it without even touching the file system. To use an example from the Win32 world, a lot of the recent worms entirely lived in memory, and as of backdoors/rootkits, think of the now famous suckit... Apart from that, there are even tools (LKM based) which spoof MD5 checksums. Moral of the story: Don't ever assume you're invincible due to some product or piece of software you run. Of course it makes sense to check the integrity of the system, but it's just one layer of security. And also, Tripwire's not the only product out there, you may want to look at AIDE for an open source alternative. Tripwire sort of made me shake my head anyway, since their $$$ client/server suite transfers data from the client to the server in plain text... which is, erm, not exactly state of the art for a security product in 2003. > There's an implicit trust in using a system to integrity-hceck itself. Indeed. Cheers, Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208123501.GA87554>