| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Absender Paul de Vrieze: |
| 5 |
> |
| 6 |
> On Sunday 04 April 2004 18:11, Tobias Weisserth wrote: |
| 7 |
> > That's why I wrote a *good* Tripwire setup :-) |
| 8 |
> > |
| 9 |
> > How should a root kit fool my Tripwire setup if the necessary binaries |
| 10 |
> > and the database are on a mounted CD? :-) This is *extremely* unlikely |
| 11 |
> > and probably demands a *very* difficult attack approach. |
| 12 |
> > |
| 13 |
> > I'm doing the same with chkrootkit. Write protected media can't be |
| 14 |
> > fooled :-) |
| 15 |
> |
| 16 |
> Given that you actually boot from that write protected medium, and that |
| 17 |
> you can trust your bios. |
| 18 |
|
| 19 |
He just meant tripwire-binaries and its database, I guess. Putting that on |
| 20 |
ro-media, is a common way to go without saying. But a LKM-Rootkit does not |
| 21 |
even need to compromise tripwire-bins nor its db. |
| 22 |
|
| 23 |
It's something, you can't prevent with tripwire only, and requires |
| 24 |
additional care. |
| 25 |
|
| 26 |
Apart from that the discussion starts about "getting hacked". You might |
| 27 |
notice that in your daily-emailed tripwire-report only, if the attacker |
| 28 |
is fair enough to not umount your cdroms or just stop cron ;) scnr |
| 29 |
|
| 30 |
- -> http://www.google.com |
| 31 |
|
| 32 |
- -- |
| 33 |
0x87D205F6 hkp://pgp.mit.edu #198379 http://counter.li.org |
| 34 |
You can't prove it won't happen... |
| 35 |
-----BEGIN PGP SIGNATURE----- |
| 36 |
Version: GnuPG v1.2.3 (GNU/Linux) |
| 37 |
|
| 38 |
iD8DBQFAcFCCDNpc/4fSBfYRAiPlAKCY4IEo077ciTWhU+C4D3BEcyubCACgpMBx |
| 39 |
cgJJEhvInAEiHU0DEF/oDTQ= |
| 40 |
=hVk3 |
| 41 |
-----END PGP SIGNATURE----- |
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-security@g.o mailing list |
Archives