On Tue, Jun 30, 2009 at 10:08:25PM -0400, Tom Metro wrote: > Dan Ritter wrote: > > - make it easy to reset the baseline > > - a single word alias is best > > What is the advantage of having that manual intervention? If you're > busy, and don't get to manually reset the baseline before the next > report, the deltas accumulate, and after a few days the reports become a > useless muddled mess. If you're in the habit of automatically updating your baseline, an educated attacker can cover his tracks by doing it for you. I've read (and agree with) advice from "experts" that it's a good idea to leave some stuff modified out of the baseline. It's much harder for an attacker to fool you by duplicating the state of the report before he broke in if there's stuff there (and you know what it is), than if it's empty. > This results in changes made on day 2, 3, etc. being far less > noticeable, which I consider to be a far more serious threat than the > unlikely prospect that an attacker breaches your system and resets the > baseline. I think it greatly depends on the usage of the system, how you have tripwire configured, and whether or not you're protecting anything that's worth someone clueful targeting it. If you have a large number of modifications on a daily basis, you may need to tune your config, or if you can't reasonably reduce the noise, you may have to consider that you need a different / another tool. > Once you've eliminated the use of a complex passphrase that > gets hand-typed, anyone who has gained root can circumvent the system. > Even then, I tend to think that as long as your database is hosted on > the system itself, the passphrase approach is more of an illusion. Unless you write it to write-once media. This works best if you can keep the noise down sufficiently to keep the differences manageable over say, a weeks time. You just update the database weekly. > you want real security, you need to bypass the target system's kernel > and directly scan the drive using another host or a live CD.) If you want real security, unplug your box, encase it in cement, vaccuum out the air, and drop it into the Mariana trench. One is only slightly less practical than the other... ;-) Tools like tripwire are great, but they are not a complete solution. It's often not practical to monitor things like /tmp or user home directories (though it might be in your particular environment), which makes those excellent places for attackers to hide root kits and such. The hope is that if an attacker installs a root kit, it actually does something that you can detect another way... Tripwire is great for monitoring system binaries, kernel modules, locally installed programs, configuration files, and data that tends to be fairly static (e.g. a lot of web content, etc.). On the other hand, if all you're doing is reading mail from your (not especially subversive) friends and family, and developing an ip calculator app on your desktop, don't bother... it's not worth the effort to set it up and maintain it. =8^) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.