Re: snooper watchers

newshamaloha.net

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Stephen D. Williams: "Re: another Web bitchout"
• Previous message: *Hobbit*: "the qf file"
• In reply to: Gene Rackow: "Re: snooper watchers"
• Next in thread: Darren Reed: "Re: snooper watchers"

> If I turn the paranoid mode up a notch or two here..
> What is to stop someone from mounting another filesystem over the top of
> your tripwire database and crontab entries.  Replace the mount and df
> commands to not show the new mount point.  Now you continue to believe
> that you are a happy camper, all safe and secure.

Its ok to be paranoid.  This is a valid concern.  Automated checking
still has its merits.  Manual checking is very tedious.  If its tedious
it most people wont do it regularly.  Automatic checking is not failsafe.
By mixing automated and manual checking you can have a little convenience
as well as security.  A sophisticated attack may not be noticed immediately
but eventually will be.  A less sophisticated attack will be noticed almost
immediately.

Btw an easier attack is to just modify the script that regularly runs
tripwire, usually run from cron.

> You really need to do a seperation of the checkee from the checkor.
> If someone has root access on the machine, the could basicly do anything that
> is needed to cover their tracks.

This is why manual checks should still be done, but this is not why
automatic checking should be given up.

                                     Tim N.

• Next message: Stephen D. Williams: "Re: another Web bitchout"
• Previous message: *Hobbit*: "the qf file"
• In reply to: Gene Rackow: "Re: snooper watchers"
• Next in thread: Darren Reed: "Re: snooper watchers"