[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking system integrity

>>"Brian" == Brian May <bam@debian.org> writes:

>>>>> "Chad" == Chad C Walstrom <chewie@wookimus.net> writes:
 Chad> On Fri, Feb 09, 2001 at 01:36:12PM +1100, Sam Johnston wrote:
 >>> sounds like tripwire which is now apparently available under the GPL:

 Chad> What about AIDE?

 Brian> Correct me if I am wrong, but it sounds like to me that it doesn't
 Brian> have anything to protect the database from being tampered with
 Brian> (otherwise it probably would be in non-US not main).

 Brian> Then again, looking at tripwire, I can't see what protects the
 Brian> tripwire executable from being tampered with either. I don't think it
 Brian> is possible unless you can mount it from some media that is guaranteed
 Brian> to be read-only (eg write protected floppy disk or read-only exported
 Brian> NFS).

 Brian> For example, what is to stop me, as the attacker, from replacing the
 Brian> tripwire binary, so that it appears to do all the checks OK, but fails
 Brian> to report any differences?

	My solution to this eternal who shall watch the watcher
 problem is to md5sum the database and the binary, and detach-sign
 that file.  I verify the database and binary at random times
 (basically, whenever I think about it).

The generation of random numbers is too important to be left to
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: