> What stops the intruder from disabling tripwire and replacing it with
> some kind of system to just keep mailing the last good copy of the
> database? This would be the equivilent of putting the picture of the
> inside of the empty safe in front of the security camera while you
> ransack it. :-)
My point exactly (see my previous email). Tripwire is pretty much worthless
after the very first time it runs when you build a system. That copy of the
tripwire db is very valuable and should be kept in a safe place. You can
still run tripwire and it is useful, as I said, to catch the script kiddies
if you are lucky. It is still very useful if you are broken into to compare
very first snapshot with the current one.
--
Alberto U. Begliomini Email: [EMAIL PROTECTED]
Coldstone Consulting, LLC Phone: 650-400-3990
Internet Technologies, Security, Systems Management Fax: 650-654-5938
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
