OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: snooper watchers

Re: snooper watchers

Timothy Jones (timcs.columbia.edu)
Mon, 27 Feb 1995 01:14:25 +0100 (MET)

Has anyone built a system sharing a dual-ported disk between the server
(checkee) and another machine that runs something like tripwire (checker)?
Obviously, the checker shouldn't be attached to the 'net...

Tim

Gene Rackow writes:
> If I turn the paranoid mode up a notch or two here..
> What is to stop someone from mounting another filesystem over the top of
> your tripwire database and crontab entries.  Replace the mount and df
> commands to not show the new mount point.  Now you continue to believe
> that you are a happy camper, all safe and secure.
> 
> You really need to do a seperation of the checkee from the checkor.
> If someone has root access on the machine, the could basicly do anything that
> is needed to cover their tracks.