On Fri, 19 Oct 2001, Ralf Hildebrandt wrote: > Well, one has to walk over and put in the floppy with the DB, then check it. Do you do this every day? Or do you wait for something in the logs to clue you in that something might be up? Tripwire is really only useful (above standard log reviewing) if you keep the executables and the DB on removable (or read-only) media. Which includes its own operating system (you don't want a trojaned kernel, right?). And it would require a reboot for every check, since tripwire only checks the persistent state of the machine; you want to make sure there are no evil kernel modules loaded, either that you fail to check for, or that are obscuring tripwire data. Perhaps I'm overstating my case...but my point is that rigorously using tripwire can be a royal pain in the ass. Using it in a non-rigorous fashion can leave some holes open (however unlikely). Reviewing reasonably secured logs along with daily (non-rigorous) tripwire checks increases the likelihood that an attacker will fail to hide his presence. I'd rather have both as rigorous as possible without putting too much burden on the sysadmin; IMHO, doing tripwire "right" is too much trouble. I'd rather have the logging provide an additional, independent check from the tripwire check; if it relies on the tripwire check, then tripwire is a single point of failure. -Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 06:42:43 PDT