Re: IDS

To: debian-isp@lists.debian.org
Subject: Re: IDS
From: Nate Duehr <nate@natetech.com>
Date: Mon, 9 Aug 2004 18:55:57 -0600
Message-id: <[🔎] 09E5F1CE-EA68-11D8-8548-003065AF7D80@natetech.com>
In-reply-to: <[🔎] 1092090119.1889.35.camel@edd>
References: <[🔎] 1091794359.3652.123.camel@edd> <[🔎] Pine.LNX.4.58.0408061357140.29684@brave.cs.uml.edu> <[🔎] 1092090119.1889.35.camel@edd>


On Aug 9, 2004, at 4:21 PM, Tinus Nijmeijers wrote:

can I assume that no-one here uses a file-integrity checker?

Saying that "no one here" uses tools like that is probably a bitreactionary, but I'd say most people here do know that such tools havea very limited application... to tell you it's time to blow away andrebuild the box once anyone you don't trust has had root level accessto it.

Unless you have physical access to the machine to copy off tripwire'sdatabase to a secured location, and time to take that database back tothe machine regularly, tripwire is supremely easy to trick. (hint: Amalicious person could simply touch every file on the filesystem ontheir way out the door... as one super-simple example. And iftripwire's database is stored locally, it's vulnerable to being messedwith.)

Tripwire bills itself as a defensive tool, but if tripwire alerts aregoing off, it's FAR too late. Better to keep untrusted people out inthe first place. Most people spend the majority of their securityefforts on that first.


--
Nate Duehr, nate@natetech.com

Reply to:

References:
- IDS
  - From: Tinus Nijmeijers <mlists@deephosting.com>
- Re: IDS
  - From: Dan MacNeil <omacneil@brave.cs.uml.edu>
- Re: IDS
  - From: Tinus Nijmeijers <mlists@deephosting.com>

Prev by Date: Re: IDS
Next by Date: Re: IDS
Previous by thread: Re: IDS
Next by thread: Re: IDS
Index(es):
- Date
- Thread