Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snooper watchers

From: rackow () mcs anl gov (Gene Rackow)
Date: Sat, 25 Feb 1995 07:16:05 -0600

If I turn the paranoid mode up a notch or two here..
What is to stop someone from mounting another filesystem over the top of
your tripwire database and crontab entries.  Replace the mount and df
commands to not show the new mount point.  Now you continue to believe
that you are a happy camper, all safe and secure.

You really need to do a seperation of the checkee from the checkor.
If someone has root access on the machine, the could basicly do anything that
is needed to cover their tracks.

Eiji Hirai writes:

At Feb 24, 11:33am, Ben Taylor <bent () snm com> tapped on the keyboard:
: > Are you going to write a program that checks to see if root's cronjob has
: > been modified? Probably not, and if someone has access to /dev/nit, they'
 re
: > going to have access to root's cronjob as well.
: 
: I suppose if you really wanted to make sure that crontab entries couldn't
: be changed is to put them on a write protected floppy, mounted at boot.

The best thing to do is to run tripwire from a read-only device (like a
floppy) from which you can check the integrity of any number of files,
like crontab.

     ftp://coast.cs.purdue.edu/pub/COAST/Tripwire

-- 
Eiji Hirai
The NetMarket Company
eiji () netmarket com
Previous By Date Next
Previous By Thread Next

Current thread: