> If it can be set, it can be unset. On a CDROM its on a read only > filesystem.
Keep in mind, though, that some vulnerabilities only allow things like to overwrite a file that is root writable, or to append to a file -- not all vulns allow code execution directly. chattr would have helped in this case. Also, if they can turn off chattr +i, what's to stop them from doing something like mounting a loopback device that looks like a cd-rom? Also, you need to keep your entire tripwire binaries on that cd-rom, so that they can not be trojaned to look at a different database. Also, you need to keep your entire os on a cd-rom so that it can not be trojaned to run a different binary. This is all about mitigating risks...you're not going to eliminate them. The chattr thing can help in some circumstances, so its not entirely useless. But, yeah, it's probably a good idea to keep the database on cd-rom. --brian