[1114] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Timothy Jones)
Mon Feb 27 00:24:55 1995
To: bugtraq@crimelab.com
In-Reply-To: Your message of "Sat, 25 Feb 1995 07:16:05 CST."
Date: Sun, 26 Feb 1995 23:33:44 -0500
From: Timothy Jones <tim@cs.columbia.edu>
Has anyone built a system sharing a dual-ported disk between the server
(checkee) and another machine that runs something like tripwire (checker)?
Obviously, the checker shouldn't be attached to the 'net...
Tim
Gene Rackow writes:
> If I turn the paranoid mode up a notch or two here..
> What is to stop someone from mounting another filesystem over the top of
> your tripwire database and crontab entries. Replace the mount and df
> commands to not show the new mount point. Now you continue to believe
> that you are a happy camper, all safe and secure.
>
> You really need to do a seperation of the checkee from the checkor.
> If someone has root access on the machine, the could basicly do anything that
> is needed to cover their tracks.
