Quoting Bill Broadley ([EMAIL PROTECTED]): > Assuming you took reasonable precautions, maintained physical security > and had zero or just ssh port open you should be fine.
I'll bet buggy Web apps are common vectors. ;-> [kernel-based rootkit implementations prevail] > So local tripwire, local package database, or even a remote > network mount is basically useless. Doing any IDS check from known-good boot media is obviously far better (where one can afford the downtime), and the only way any integrity check of the boot chain can possibly hope to be reliable. > Booting known good media is much better, although even then it's > pretty trivial to subvert. Oh, do tell. > Of course it's relatively trivial to hack a machine, not change a single > binary, and open up a back door. I assume you mean that _if_ you have cracked a machine, it's easy to avoid changing the binaries, and yet open a back door. However, you must make a critical change to system configuration to make that persist, which change then is part of the forensic trail. > One nice thing about CDR is that it auto updates, every patch happens > securely, much better than running tripwire locally where step #3 for > hackign a system is to find tripwire and include your backdoors when > it's run so that the next time the admin runs a patch and approves 500 > file update that the backdoor will be included. That would be a rather careless sysadmin who doesn't detect the fact that the TW policy file has been altered. All of the thing's files, you may recall, are crypto-signed, right down to the reports -- and that would be pretty pointless if you didn't always (at minimum) use its siggen utility from read-only media to check them. Even at that, it's theoretically possible that a subverted runtime system (not rebooted to known-good media) could jigger the siggen checks to make it lie and report the expected hash values, but I'll believe that when I see it. (FWIW, I don't like Tripwire: Too slow, far too much hassle to admin, too crufty; but I'm glad to give credit for what they did thoughtfully.) _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
