[...] > Btw an easier attack is to just modify the script that regularly runs > tripwire, usually run from cron. > > > You really need to do a seperation of the checkee from the checkor. > > If someone has root access on the machine, the could basicly do anything > > that is needed to cover their tracks. > > This is why manual checks should still be done, but this is not why > automatic checking should be given up. > > Tim N. Something I was thinking of, what if you have two hosts, which don't trust each other in any way, set them up to use a network filesystem of sorts and run tripwire on the "other" host. So for host A, tripwire would run on host B and for host B, tripwire would run on host A. darren