| 1 |
Andrea Barisani wrote: |
| 2 |
> On Thu, Mar 25, 2004 at 09:16:05PM +0100, Michel Wilson wrote: |
| 3 |
> |
| 4 |
>>On Thu, Mar 25, 2004 at 02:03:45PM -0600, Andrew Gaffney wrote: |
| 5 |
>> |
| 6 |
>>>Tom Hosiawa wrote: |
| 7 |
>>> |
| 8 |
>>>>What about qpkq being compromised itself. As I understand it, in |
| 9 |
>>>>tripwire, cryptographic keys are used for the policy file. |
| 10 |
>>>> |
| 11 |
>>>>Couldn't an attacker mess around with which files qpkq scans? |
| 12 |
>>> |
| 13 |
>>>That's another good reason for a customer portage-integrated solution. |
| 14 |
>>> |
| 15 |
>> |
| 16 |
>>Oh yeah, that's a little 'detail' I forgot, yes :P |
| 17 |
>>The integrity scanner itself can indeed be compromised. There isn't much |
| 18 |
>>we can do about this, it's a chicken-and-egg problem. One solution would |
| 19 |
>>be a read-only medium to store the scanner on, or a copy of gpg + the |
| 20 |
>>signature of the scanner. But that is kind of problematic. And what |
| 21 |
>>about an attacker that installs a rootkit so that the scanned files |
| 22 |
>>appear to be intact when opened by the scanner, but not when opened by |
| 23 |
>>the kernel? |
| 24 |
>>To make a long story short, one can never be sure. My opinion is that |
| 25 |
>>something along the lines of Tripwire is secure enough in most cases. |
| 26 |
>>Tripwire can also be fooled by replacing the binary itself. If the |
| 27 |
>>attacker does it right, no-one will notice. I.e. same file size, only skip |
| 28 |
>>scanning files that are compromised so that there will still be false |
| 29 |
>>alerts upon upgrades, etc. |
| 30 |
>> |
| 31 |
>>Michel Wilson. |
| 32 |
> |
| 33 |
> |
| 34 |
> I suggest that you look at samhain: |
| 35 |
> |
| 36 |
> http://la-samhna.de/samhain |
| 37 |
> |
| 38 |
> It's an excellent file integrity and host-based intrusion detection system |
| 39 |
> with advanced features that solves the "chicken-and-egg" problem along with |
| 40 |
> other cool gizmos :). |
| 41 |
|
| 42 |
From the site: |
| 43 |
|
| 44 |
Support for a stealth mode of operation |
| 45 |
|
| 46 |
Is there a way to make a process not show up in 'ps' output? |
| 47 |
|
| 48 |
-- |
| 49 |
Andrew Gaffney |
| 50 |
Network Administrator |
| 51 |
Skyline Aeronautics, LLC. |
| 52 |
636-357-1548 |
| 53 |
|
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-security@g.o mailing list |
Archives