Firewall Wizards mailing list archives
Re: File Integrity Check
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 14 Aug 1999 12:14:30 +1000 (EST)
In some email I received from Russell Enderby, sie wrote:
In pursuit of determining critical system files for modifications I was thinking the checksum prog 'sum' would be sufficient. Understanding that time,date, and file size can be modified under the ext2fs/ufs directory table. Is it possible to also make the 'sum' checksum appear to be correct?
Yes. See below.
I was under the impression tripwire uses its own special checksum prog to verify files, although would 'sum' be sufficient as well? If not does anyone know of better more thorough checksum app?
sum(1) is insufficient. There's a program around that will `fix' a binary with the wrong output of sum(1). Tripwire uses a combination of md4/md5 and others - `cryptographic checksums' which are much much harder to defeat, especially if you use a combination of different algorithms (which tripwire can do). What'd be even more amusing is if someone took one of those kernel hacks posted to bugtraq some time ago for FreeBSD (which intercepted open(2) and friends) and was able to feed back different information to tripwire than was normally given when the program was run. Darren
Current thread:
- File Integrity Check Russell Enderby (Aug 13)
- Re: File Integrity Check Marcus J. Ranum (Aug 13)
- Re: File Integrity Check Darren Reed (Aug 14)
- <Possible follow-ups>
- Re: File Integrity Check Steven M. Bellovin (Aug 13)
- Re: File Integrity Check Antonomasia (Aug 13)
- Re: File Integrity Check Bill_Royds (Aug 14)
- RE: File Integrity Check Choi, Byoung (Aug 15)
- Re: File Integrity Check Scot Anderson (Aug 15)
- Re: File Integrity Check Geva Patz (Aug 16)
- Re: File Integrity Check Adam Shostack (Aug 17)
- Re: File Integrity Check Dave Gillett (Aug 18)
- Re: File Integrity Check Bennett Todd (Aug 17)
- Re: File Integrity Check Scot Anderson (Aug 15)
- Re: File Integrity Check Bill_Royds (Aug 18)