At 09:25 18.10.2002, Thomas Ribbrock said:
--------------------[snip]--------------------
>On Thu, Oct 17, 2002 at 01:29:53PM -0700, Todd A. Jacobs wrote:
>[...]
>> - Install portsentry.
>> - Configure tripwire and READ the reports.
>> - Install logsentry and READ the reports.
>[...]
>
>The one thing I don't understand here is: How can these tools help against a
>dedicated cracker who will simply manipulate these tools once he has root
>access to the machine?? As far as I can see, *anything* that's *on* the
>machine itself is fair game once you have root access, is it not?
--------------------[snip]--------------------
root access is only half the way. Tripwire uses PGP security to generate a
hash on all monitored items, and keeps these hashes in its own database,
secured with PGP sign and encryption. Yo uneed at least the right PGP key
to unlock the database.
However if you have this _and_ are root _and have gained shell access you
_can_ update the tripwire database after making your changes. The only
thing a good sysop will notice, however, is the last modification time of
the tripwire database, and that possibly some items it had in alert state
are missing. I always change some file in /root _after_ tripwire -u to have
this "marker" in the notification list.
>O Ernest E. Vogelsinger
(\) ICQ# 13394035
^
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
