[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hi -tripwire

On Sat, Sep 30, 2000 at 04:06:17PM -0400, Bob Bernstein wrote:
> On Sat, Sep 30, 2000 at 08:49:50PM +0200, Daniel Hartmeier wrote:
> > Encrypting the checksum database does not solve the problem at all.
> > If an attacker rooted the machine, he can change it in a way that is
> > not detectable from withing that system. Have you ever heard about
> > "stealth virii"? 
> Take it up with Tripwire. Here's what they say, direct quotes from their
> literature:
> "File Integrity Verification - Four message digest algorithms available to
> determine if files have been modified. One or more algorithms can be used to
> provide complete assurance of the integrity of the monitored files."


> Ok, "complete assurance" is a tad stronger than "effectively eliminate."
> Chalk that one up to the marketing weasels. But I would like to see any
> reports you have of this version of Tripwire being hacked in the wild. That
> you can give a theoretically plausible scenario doesn't make that scenario
> feasible in reality. I understand the theoretical plausibility. I doubt very
> much the feasibility.


There are kernel modules that exist for Linux and Solaris, used by various
3733t h4x0r dudes, that will cause tripwire to report incorrect findings.
This stuff exists and is not a theoretical problem.

If your system has been compromised, you just can't trust anything it does.
This is why you have to run the report offline.  You've got to mount the
filesystems somewhere else, or boot with a CD or floppy and run the report.