Re: Tripwire in bin-directory?
Um, you don't need a kernel patch for that. Just the immutable bit and the
`lcap' program/package to make that immutable bit permanent. (Of course
you will need to set immutability on inittab and anything called from
there, so that it can't be changed during boot, allowing the script kiddie
to drop a shell script into init's boot scripts...)
Ah, the wonders of the capability bounding set. ;)
EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9
-----BEGIN GEEK CODE BLOCK-----
GCM d- s:+ a--- C++++ UL++++ P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
------END GEEK CODE BLOCK------
On Wed, 24 May 2000 email@example.com wrote:
> Hi !
> > > is a shellscript in bin that executes /usr/lib/tripwire.
> > > If someone breaks into my system, he/she could
> > > change the file in bin to something that always
> > > reports that nothing was changed!
> > If someone breaks into your system, he/she could change /usr/lib/tripwire
> > itself... isn't this just as much of a problem, except in the unlikely
> > event that /usr/lib is hardware write-protected while /bin is not.
> Use LIDS. It's not a magic-weapon but a very good patch to the kernel
> itself. Read the article on securityfocus and the LIDS docs. With this
> patch it's possible that even root couldn't overwrite files in selected
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com