[1100] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Darren Reed)
Sat Feb 25 21:17:51 1995
From: Darren Reed <avalon@coombs.anu.edu.au>
To: newsham@aloha.net (Timothy Newsham)
Date: Sun, 26 Feb 1995 12:27:30 +1100 (EDT)
Cc: rackow@mcs.anl.gov, eiji@netmarket.com, bugtraq@fc.net,
rackow@antares.mcs.anl.gov
In-Reply-To: <m0riUFF-000uJkC@hookomo> from "Timothy Newsham" at Feb 25, 95 11:41:44 am
[...]
> Btw an easier attack is to just modify the script that regularly runs
> tripwire, usually run from cron.
>
> > You really need to do a seperation of the checkee from the checkor.
> > If someone has root access on the machine, the could basicly do anything
> > that is needed to cover their tracks.
>
> This is why manual checks should still be done, but this is not why
> automatic checking should be given up.
>
> Tim N.
Something I was thinking of, what if you have two hosts, which don't
trust each other in any way, set them up to use a network filesystem
of sorts and run tripwire on the "other" host. So for host A, tripwire
would run on host B and for host B, tripwire would run on host A.
darren
