[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking system integrity

>>>>> "Matt" == Matt Zimmerman <mdz@debian.org> writes:
    Matt> It would be a trivial rootkit addition (if it doesn't exist
    Matt> already) to cause exec()s of binaries named "tripwire" to
    Matt> run a modified version which reads the same config file,
    Matt> does all the same calculations, but prints out a successful
    Matt> result regardless of the status of the file.

Then the intruder must redirect *all* exec calls as there is *no*
requirement that I invoke tripwire as tripwire.  I could call it
"Matt" if I wanted to. :)


"Farcical aquatic ceremonies are no basis for a system of government!"

Reply to: