[TAG] Fwd: Re: Tripwire

Wed Sep 8 14:21:22 MSD 2004

----------  Forwarded Message  ----------

Subject: Re: Tripwire
Date: Tue 07 Sep 2004 21:26
From: Barry O'Donovan <barry at ihl.ucd.ie>
To: TAG <tag at lists.linuxgazette.net>
To: Greg Bell <gregbell at znet.com>

Hi Greg,

First of all, thanks for the feedback. It's always good to know someone
is reading the articles!

On Tue 07 Sep 2004 20:45, you wrote:
> Thanks for the article on tripwire in Linux Gazette.  One thing that
> I've been suspicious of with tripwire is:  if the hacker is "in",
> aren't there all sorts of things he can do to neuter tripwire?

To save an argument I could simple say yes... but I won't! First of
 all, running tripwire (or another intrusion detection system (IDS)) is
 immeasurably better than running no IDS at all.

> He
> can remove the cron/anacron job, and send you fake mail every day
> saying everything checked "OK".

That's a lot more difficult than it sounds. First of all, he'd need to
know what the usual "all is okay e-mail" looks like for YOUR system.
When you're running tripwire and checking the e-mails you'll get used
to seeing and recognising a lot of numbers such as the total objects
scanned, etc. If you're sending these daily e-mails to another server
then he won't have access to an existing report and he won't be able to
view the saved report files in /var/lib/tripwire without your
passphrase.

Secondly whether you're running tripwire on a server or a desktop
machine, you're liable to have to update at least one package at least
once a week. When you do this you'll expect a problem from tripwire and
if he's sending fake e-mails you'll start to question whther tripwire
is working or not.

> he can replace the tripwire binary

Tripwire checks itself too! The stats for the tripwire binary will
reside in the database which an intruder cannot change unless he has
your local passphrase. I suppose an intruder could replace the binary
with one that's programmed to not check itself but if you're really
this paranoid you can put the binary on a remote HTTP server and have
your cronjob download it with wget before checking.

Some servers will mount /usr as read-only to increase access speeds and
security. This would help out here too.

> itself.  he can update the database (especially if its on a CD-RW
> like you suggest).

Firstly, he can't. He'll have to have your local passphrase to do this.

Secondly - I never said leave the CD-RW in a CD-RW drive. I said "a
re-writable CD in a CD-ROM drive (read-only drive)." i.e. only place
the CD in the CD-RW drive when updating, then put it back in the CD-ROM
drive.

The bottom line is that tripwire will probably catch an intruder 99 out
of a 100 times. If not more. You'll NEVER be 100% secure. That's just a
simple fact of life. But you can strive to be as secure as possible and
using tripwire will be a huge help here.

Would you have any objections if I forwarded your e-mail and my
 response onto TAG (The Answer Gang)? Heather and the other editors use
 material from TAG to put together the one-cent tips, mailbag, etc.
 It's perfectly fine to say no.

Thanks again for the feedback,
Barry O'Donovan

--
Regards,
Barry O'Donovan

http://www.ihl.ucd.ie/

Information Hiding Laboratory,
Department of Computer Science,
University College Dublin,
Belfield, Dublin 4, Ireland

Registered Linux User: #189413
(GPG Key: http://www.ihl.ucd.ie/~barry/key/public_key.asc )

-------------------------------------------------------

-- 
Regards,
Barry O'Donovan

http://www.ihl.ucd.ie/

Information Hiding Laboratory,
Department of Computer Science,
University College Dublin,
Belfield, Dublin 4, Ireland

Registered Linux User: #189413
(GPG Key: http://www.ihl.ucd.ie/~barry/key/public_key.asc )