Alberto Begliomini <[EMAIL PROTECTED]> wrote:
> the attacker
> can always run Tripwire with a different configuration file, or fake
> the output,
[ snip ]
> Said that, I normally email the first Tripwire database, when I build
> a system, to a server where I keep and eventually archive all the
> Tripwire
> databases and I leave a copy of the database, on the system where
> Tripwire is
> running, in a directory readable only by root. Each time a change is
> made
> on the system, a new copy of the database is emailed to the archive
> server.
What stops the intruder from disabling tripwire and replacing it with
some kind of system to just keep mailing the last good copy of the
database? This would be the equivilent of putting the picture of the
inside of the empty safe in front of the security camera while you
ransack it. :-)
b.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
