Re: IDS
On Aug 9, 2004, at 4:21 PM, Tinus Nijmeijers wrote:
can I assume that no-one here uses a file-integrity checker?
Saying that "no one here" uses tools like that is probably a bit
reactionary, but I'd say most people here do know that such tools have
a very limited application... to tell you it's time to blow away and
rebuild the box once anyone you don't trust has had root level access
to it.
Unless you have physical access to the machine to copy off tripwire's
database to a secured location, and time to take that database back to
the machine regularly, tripwire is supremely easy to trick. (hint: A
malicious person could simply touch every file on the filesystem on
their way out the door... as one super-simple example. And if
tripwire's database is stored locally, it's vulnerable to being messed
with.)
Tripwire bills itself as a defensive tool, but if tripwire alerts are
going off, it's FAR too late. Better to keep untrusted people out in
the first place. Most people spend the majority of their security
efforts on that first.
--
Nate Duehr, nate@natetech.com
Reply to:
- References:
- IDS
- From: Tinus Nijmeijers <mlists@deephosting.com>
- Re: IDS
- From: Dan MacNeil <omacneil@brave.cs.uml.edu>
- Re: IDS
- From: Tinus Nijmeijers <mlists@deephosting.com>