On Tue, Jun 30, 2009 at 10:08:25PM -0400, Tom Metro wrote:
> Dan Ritter wrote:
> > - make it easy to reset the baseline
> > - a single word alias is best
>
> What is the advantage of having that manual intervention? If you're
> busy, and don't get to manually reset the baseline before the next
> report, the deltas accumulate, and after a few days the reports become a
> useless muddled mess.
If you're in the habit of automatically updating your baseline, an
educated attacker can cover his tracks by doing it for you. I've read
(and agree with) advice from "experts" that it's a good idea to leave
some stuff modified out of the baseline. It's much harder for an
attacker to fool you by duplicating the state of the report before he
broke in if there's stuff there (and you know what it is), than if
it's empty.
> This results in changes made on day 2, 3, etc. being far less
> noticeable, which I consider to be a far more serious threat than the
> unlikely prospect that an attacker breaches your system and resets the
> baseline.
I think it greatly depends on the usage of the system, how you have
tripwire configured, and whether or not you're protecting anything
that's worth someone clueful targeting it. If you have a large number
of modifications on a daily basis, you may need to tune your config,
or if you can't reasonably reduce the noise, you may have to consider
that you need a different / another tool.
> Once you've eliminated the use of a complex passphrase that
> gets hand-typed, anyone who has gained root can circumvent the system.
> Even then, I tend to think that as long as your database is hosted on
> the system itself, the passphrase approach is more of an illusion.
Unless you write it to write-once media. This works best if you can
keep the noise down sufficiently to keep the differences manageable
over say, a weeks time. You just update the database weekly.
> you want real security, you need to bypass the target system's kernel
> and directly scan the drive using another host or a live CD.)
If you want real security, unplug your box, encase it in cement,
vaccuum out the air, and drop it into the Mariana trench. One is only
slightly less practical than the other... ;-)
Tools like tripwire are great, but they are not a complete solution.
It's often not practical to monitor things like /tmp or user home
directories (though it might be in your particular environment), which
makes those excellent places for attackers to hide root kits and such.
The hope is that if an attacker installs a root kit, it actually does
something that you can detect another way... Tripwire is great for
monitoring system binaries, kernel modules, locally installed
programs, configuration files, and data that tends to be fairly static
(e.g. a lot of web content, etc.).
On the other hand, if all you're doing is reading mail from your (not
especially subversive) friends and family, and developing an ip
calculator app on your desktop, don't bother... it's not worth the
effort to set it up and maintain it. =8^)
--
Derek D. Martin
http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss
blu.org wiki
