[1092] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Gene Rackow)
Sat Feb 25 09:29:12 1995
To: Eiji Hirai <eiji@netmarket.com>
Cc: bugtraq@fc.net, rackow@antares.mcs.anl.gov
In-Reply-To: Your message of "Fri, 24 Feb 1995 18:53:20 EST."
<199502242353.SAA02138@tannis.netmarket.com>
Date: Sat, 25 Feb 1995 07:16:05 -0600
From: Gene Rackow <rackow@mcs.anl.gov>
If I turn the paranoid mode up a notch or two here..
What is to stop someone from mounting another filesystem over the top of
your tripwire database and crontab entries. Replace the mount and df
commands to not show the new mount point. Now you continue to believe
that you are a happy camper, all safe and secure.
You really need to do a seperation of the checkee from the checkor.
If someone has root access on the machine, the could basicly do anything that
is needed to cover their tracks.
Eiji Hirai writes:
>At Feb 24, 11:33am, Ben Taylor <bent@snm.com> tapped on the keyboard:
>: > Are you going to write a program that checks to see if root's cronjob has
>: > been modified? Probably not, and if someone has access to /dev/nit, they'
> re
>: > going to have access to root's cronjob as well.
>:
>: I suppose if you really wanted to make sure that crontab entries couldn't
>: be changed is to put them on a write protected floppy, mounted at boot.
>
>The best thing to do is to run tripwire from a read-only device (like a
>floppy) from which you can check the integrity of any number of files,
>like crontab.
>
> ftp://coast.cs.purdue.edu/pub/COAST/Tripwire
>
>--
>Eiji Hirai
>The NetMarket Company
>eiji@netmarket.com
>
