> > > If I turn the paranoid mode up a notch or two here.. > > What is to stop someone from mounting another filesystem over the top of > > your tripwire database and crontab entries. Replace the mount and df > > commands to not show the new mount point. Now you continue to believe > > that you are a happy camper, all safe and secure. ... > > Btw an easier attack is to just modify the script that regularly runs > tripwire, usually run from cron. ... > > Tim N. > This whole set of issues has been researched in some depth and partially solved - partially proven unsolvable. See "Defense in Depth Against Computer Viruses" and "Program Evolution for Operating System Security" - both in the IFIP-TC11 Journal Computers and Security - I won't bother to tell you who the author was - FC