Re: security idea - bootable CD to check your system
Jim Popovitch <yahoo@jimpop.com> writes:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>> The difference is that:
>> a) These all run on the live system they are trying to protect,
> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort.... which is in
> Tripwire's best practices.
That doesn't necessarily help. It makes the attacker's task much more
difficult, but it's still possible to binary-patch a running kernel in
various ways to hide files from everything on the system, including
tripwire.
You have to boot into a known-clean kernel in order to get a fully
trustable integrity check.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: