Re: checking system integrity
On Wed, Feb 14, 2001 at 12:11:47PM -0800, Stephen Zander wrote:
> >>>>> "Matt" == Matt Zimmerman <firstname.lastname@example.org> writes:
> Matt> It would be a trivial rootkit addition (if it doesn't exist
> Matt> already) to cause exec()s of binaries named "tripwire" to
> Matt> run a modified version which reads the same config file,
> Matt> does all the same calculations, but prints out a successful
> Matt> result regardless of the status of the file.
> Then the intruder must redirect *all* exec calls as there is *no* requirement
> that I invoke tripwire as tripwire. I could call it "Matt" if I wanted to.
The check could also trigger on an open() of a tripwire config file (or
something that looks like one). This kind of cat and mouse game could go on
forever. When you don't know what kind of attacker you could be dealing with,
the only solution is to avoid the problem completely.