[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Aug 9, 2004, at 4:21 PM, Tinus Nijmeijers wrote:
can I assume that no-one here uses a file-integrity checker?

Saying that "no one here" uses tools like that is probably a bit reactionary, but I'd say most people here do know that such tools have a very limited application... to tell you it's time to blow away and rebuild the box once anyone you don't trust has had root level access to it.

Unless you have physical access to the machine to copy off tripwire's database to a secured location, and time to take that database back to the machine regularly, tripwire is supremely easy to trick. (hint: A malicious person could simply touch every file on the filesystem on their way out the door... as one super-simple example. And if tripwire's database is stored locally, it's vulnerable to being messed with.)

Tripwire bills itself as a defensive tool, but if tripwire alerts are going off, it's FAR too late. Better to keep untrusted people out in the first place. Most people spend the majority of their security efforts on that first.

Nate Duehr, nate@natetech.com

Reply to: