Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: snooper watchersTimothy Newsham (newshamaloha.net)
Sat, 25 Feb 1995 11:41:44 -1000 (HST)
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Stephen D. Williams: "Re: another Web bitchout"
- Previous message: *Hobbit*: "the qf file"
- In reply to: Gene Rackow: "Re: snooper watchers"
- Next in thread: Darren Reed: "Re: snooper watchers"
> If I turn the paranoid mode up a notch or two here.. > What is to stop someone from mounting another filesystem over the top of > your tripwire database and crontab entries. Replace the mount and df > commands to not show the new mount point. Now you continue to believe > that you are a happy camper, all safe and secure. Its ok to be paranoid. This is a valid concern. Automated checking still has its merits. Manual checking is very tedious. If its tedious it most people wont do it regularly. Automatic checking is not failsafe. By mixing automated and manual checking you can have a little convenience as well as security. A sophisticated attack may not be noticed immediately but eventually will be. A less sophisticated attack will be noticed almost immediately. Btw an easier attack is to just modify the script that regularly runs tripwire, usually run from cron. > You really need to do a seperation of the checkee from the checkor. > If someone has root access on the machine, the could basicly do anything that > is needed to cover their tracks. This is why manual checks should still be done, but this is not why automatic checking should be given up. Tim N.