[2191] in linux-security and linux-alert archive
[linux-security] Re: You got some 'splaininn to do Lucy ;-)
daemon@ATHENA.MIT.EDU (macker)
Sat Jul 31 04:45:22 1999
Date: Sat, 31 Jul 1999 00:59:43 -0700 (PDT)
From: macker <macker@netmagic.net>
To: Crispin Cowan <crispin@cse.ogi.edu>
cc: linux-security@redhat.com
In-Reply-To: <37A2513D.87A23258@cse.ogi.edu>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sat, 31 Jul 1999, Crispin Cowan wrote:
> John Summerfield wrote:
>
> > Without an audit trail, how would you know?
> >
> > Some versions of BIND had a bug allowed hackers root access. Other than
> > BIND mysteriously crashing, you'd never know it happened. Someone could
> > have made of with a copy of some sensitive information without you every
> > knowing it had been accessed: with an audit trail, you might at least
> > discover it had been read by someone who shouldn't.
>
> While it is true that you need *some* kind of host-based intrusion detection to
> know that your host has been secure, it is not true that you need Orange Book
> Auditing[tm] to do intrusion detection. Counter-example: if you used Tripwire
> to periodically check the integrity of your host, then you could detect
> intrusions without Orange Book style auditing.
>
> Caveat: I mean use Tripwire *properly*. Don't bother whining about the myriad
> ways it can be used improperly, that's not the point :-)
>
> Crispin
[snip]
Tripwire, while very useful, can detect a *changed* filed that's being
monitored, how would it detect a passive intrusion? Most buffer
overflows, the bind remote exploit being no exception, simply spawn a
setuid root shell. This is one that's running, not one in /tmp or
otherwise. In fact, no files would be created or modified (that i'm aware
of).
Now, if someone tried to backdoor the system, then tripwire (as well as a
check using find for setuid bins) would be quite effective...
Judging by the "new mail" indicator, I think John is about to say
something to the effect of what i'm sending now...
*clink clink*
-macker
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
