1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Absender Paul de Vrieze: |
5 |
> |
6 |
> On Sunday 04 April 2004 18:11, Tobias Weisserth wrote: |
7 |
> > That's why I wrote a *good* Tripwire setup :-) |
8 |
> > |
9 |
> > How should a root kit fool my Tripwire setup if the necessary binaries |
10 |
> > and the database are on a mounted CD? :-) This is *extremely* unlikely |
11 |
> > and probably demands a *very* difficult attack approach. |
12 |
> > |
13 |
> > I'm doing the same with chkrootkit. Write protected media can't be |
14 |
> > fooled :-) |
15 |
> |
16 |
> Given that you actually boot from that write protected medium, and that |
17 |
> you can trust your bios. |
18 |
|
19 |
He just meant tripwire-binaries and its database, I guess. Putting that on |
20 |
ro-media, is a common way to go without saying. But a LKM-Rootkit does not |
21 |
even need to compromise tripwire-bins nor its db. |
22 |
|
23 |
It's something, you can't prevent with tripwire only, and requires |
24 |
additional care. |
25 |
|
26 |
Apart from that the discussion starts about "getting hacked". You might |
27 |
notice that in your daily-emailed tripwire-report only, if the attacker |
28 |
is fair enough to not umount your cdroms or just stop cron ;) scnr |
29 |
|
30 |
- -> http://www.google.com |
31 |
|
32 |
- -- |
33 |
0x87D205F6 hkp://pgp.mit.edu #198379 http://counter.li.org |
34 |
You can't prove it won't happen... |
35 |
-----BEGIN PGP SIGNATURE----- |
36 |
Version: GnuPG v1.2.3 (GNU/Linux) |
37 |
|
38 |
iD8DBQFAcFCCDNpc/4fSBfYRAiPlAKCY4IEo077ciTWhU+C4D3BEcyubCACgpMBx |
39 |
cgJJEhvInAEiHU0DEF/oDTQ= |
40 |
=hVk3 |
41 |
-----END PGP SIGNATURE----- |
42 |
|
43 |
-- |
44 |
gentoo-security@g.o mailing list |