On Fri, May 09, 2008 at 05:54:40AM -0700, phobot wrote: > On May 7, 1:10 pm, martin f krafft <madd...@debian.org> wrote: > > > use integrit/aide/tripwire > > > > only useful with read-only media > > OK, I don't get it if the media is read-only none can alter it so you > don't really need tripwire. > But if the media is writable so changes can be made you need to run > tripwire to check your files. > Where am I wrong? What madduck is saying is that tools like tripwire are only useful if you store their databases on read-only media. Otherwise the same attacker who compromised your system could modify the database to cover their tracks. At least tripwire has the ability to encrypt its database, which helps to mitigate this problem. The claim that tripwire is only useful with read-only media is too strong; it can be quite useful without it. noah
Attachment:
signature.asc
Description: Digital signature