On 7/28/2004 2:11 PM, Matthew Schumacher wrote:
> While I agree with this, there is a way that you can be pretty darn sure
> you have not been compromised. If you install tripwire, learn to use it
> correctly, then meticulously audit every change on the system you can
> say with reasonable certainty that the system has not had any
> unauthorized changes. It's a huge pain, but it does work.
Unfortunately, there are techniques to modify kernels to get in the
middle of the system calls that ask for filesystem data, and pass
arbitrary answers back to those calls. This can neatly circumvent
most of Tripwire, since Tripwire relies on the operating system to
stat the file. Even the multiple checksums that Tripwire uses
can be planned for, if the file being replaced can be predicted and
has known checksums (in theory). I'm sorta talking through my hat
here, as I've never seen any of this in practice, but that's how it's
been explained to me.
I'm a big fan of Tripwire, but I have to agree with you when you say
"reasonable certainty" -- for sufficiently small values of "certainty.".
:) I use Tripwire more to tell which *authorized* changes have taken
place on the box -- patches, etc. -- than to be assured that
(no Tripwire changes) == (no changes).
-royce
-- ------------------------------------------------------------------------ Royce D. Williams - IP Engineering, ACS personal: [first]@alaska.net - PGP: 3FC087DB/1776A531 work: [first.last]@acsalaska.net - http://www.tycho.org/royce/ --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Wed Jul 28 14:41:12 2004
This archive was generated by hypermail 2.1.8 : Wed Jul 28 2004 - 14:41:12 AKDT