[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hi -tripwire

On Sat, Sep 30, 2000 at 10:05:56PM +0500, Bob Bernstein wrote:

> The commercial version of Tripwire that supplanted the 'academic'
> version has made all of this much easier, in that Tripwire now encrypts
> all of its data files. There isn't a need to keep them off the machine
> they're protecting.

Encrypting the checksum database does not solve the problem at all.
If an attacker rooted the machine, he can change it in a way that is
not detectable from withing that system. Have you ever heard about
"stealth virii"? An attacker can patch the system at different levels
to make file contents appear different from what they really are, while
the malicious code is active.

The only reliable way to verify the system is from the outside,
mounting the partitions from a clean system, carefully avoiding running
any executables from the compromised partitions. That's the reason why
virus scanning is done from a clean boot disk, for instance.

Encryption is merely security by obscurity in this case. How is the
database encrypted? If you run tripwire from within the compromised
system, the de-/encryption key is compromised as well, since it's
readable to root from memory.

This is not as far-fetched as it might seem, it has happened before.
If you suspect a machine to be compromised, you may not trust ANY
information that you get from within that system.