Re: checking system integrity
>>>>> "Chad" == Chad C Walstrom <chewie@wookimus.net> writes:
Chad> On Fri, Feb 09, 2001 at 01:36:12PM +1100, Sam Johnston wrote:
>> sounds like tripwire which is now apparently available under the GPL:
Chad> What about AIDE?
Correct me if I am wrong, but it sounds like to me that it doesn't
have anything to protect the database from being tampered with
(otherwise it probably would be in non-US not main).
Then again, looking at tripwire, I can't see what protects the
tripwire executable from being tampered with either. I don't think it
is possible unless you can mount it from some media that is guaranteed
to be read-only (eg write protected floppy disk or read-only exported
NFS).
For example, what is to stop me, as the attacker, from replacing the
tripwire binary, so that it appears to do all the checks OK, but fails
to report any differences?
As another example, what is to stop me from reinitialising the entire
database, with my newly created public key (which replaces the
"correct" public key), based on the files I "updated"?
Currently I am compiling tripwire, so I may find answers to some of
the above when I get it going.
--
Brian May <bam@debian.org>
Reply to: