1 |
Andrea Barisani wrote: |
2 |
> On Thu, Mar 25, 2004 at 09:16:05PM +0100, Michel Wilson wrote: |
3 |
> |
4 |
>>On Thu, Mar 25, 2004 at 02:03:45PM -0600, Andrew Gaffney wrote: |
5 |
>> |
6 |
>>>Tom Hosiawa wrote: |
7 |
>>> |
8 |
>>>>What about qpkq being compromised itself. As I understand it, in |
9 |
>>>>tripwire, cryptographic keys are used for the policy file. |
10 |
>>>> |
11 |
>>>>Couldn't an attacker mess around with which files qpkq scans? |
12 |
>>> |
13 |
>>>That's another good reason for a customer portage-integrated solution. |
14 |
>>> |
15 |
>> |
16 |
>>Oh yeah, that's a little 'detail' I forgot, yes :P |
17 |
>>The integrity scanner itself can indeed be compromised. There isn't much |
18 |
>>we can do about this, it's a chicken-and-egg problem. One solution would |
19 |
>>be a read-only medium to store the scanner on, or a copy of gpg + the |
20 |
>>signature of the scanner. But that is kind of problematic. And what |
21 |
>>about an attacker that installs a rootkit so that the scanned files |
22 |
>>appear to be intact when opened by the scanner, but not when opened by |
23 |
>>the kernel? |
24 |
>>To make a long story short, one can never be sure. My opinion is that |
25 |
>>something along the lines of Tripwire is secure enough in most cases. |
26 |
>>Tripwire can also be fooled by replacing the binary itself. If the |
27 |
>>attacker does it right, no-one will notice. I.e. same file size, only skip |
28 |
>>scanning files that are compromised so that there will still be false |
29 |
>>alerts upon upgrades, etc. |
30 |
>> |
31 |
>>Michel Wilson. |
32 |
> |
33 |
> |
34 |
> I suggest that you look at samhain: |
35 |
> |
36 |
> http://la-samhna.de/samhain |
37 |
> |
38 |
> It's an excellent file integrity and host-based intrusion detection system |
39 |
> with advanced features that solves the "chicken-and-egg" problem along with |
40 |
> other cool gizmos :). |
41 |
|
42 |
From the site: |
43 |
|
44 |
Support for a stealth mode of operation |
45 |
|
46 |
Is there a way to make a process not show up in 'ps' output? |
47 |
|
48 |
-- |
49 |
Andrew Gaffney |
50 |
Network Administrator |
51 |
Skyline Aeronautics, LLC. |
52 |
636-357-1548 |
53 |
|
54 |
|
55 |
-- |
56 |
gentoo-security@g.o mailing list |