Re: checking system integrity
>>>>> "Matt" == Matt Zimmerman <mdz@debian.org> writes:
Matt> It would be a trivial rootkit addition (if it doesn't exist
Matt> already) to cause exec()s of binaries named "tripwire" to
Matt> run a modified version which reads the same config file,
Matt> does all the same calculations, but prints out a successful
Matt> result regardless of the status of the file.
Then the intruder must redirect *all* exec calls as there is *no*
requirement that I invoke tripwire as tripwire. I could call it
"Matt" if I wanted to. :)
--
Stephen
"Farcical aquatic ceremonies are no basis for a system of government!"
Reply to: