Re: snooper watchers

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: bob@unix.worldcom.com: "8-bit characters in addresses"
• Previous message: Thomas Roessler: "Re: A (possibly) better way to get input integrity"
• In reply to: Gene Rackow: "Re: snooper watchers"
• Next in thread: Leo Bicknell: "Re: snooper watchers"

Has anyone built a system sharing a dual-ported disk between the server
(checkee) and another machine that runs something like tripwire (checker)?
Obviously, the checker shouldn't be attached to the 'net...

Tim

Gene Rackow writes:
> If I turn the paranoid mode up a notch or two here..
> What is to stop someone from mounting another filesystem over the top of
> your tripwire database and crontab entries.  Replace the mount and df
> commands to not show the new mount point.  Now you continue to believe
> that you are a happy camper, all safe and secure.
> 
> You really need to do a seperation of the checkee from the checkor.
> If someone has root access on the machine, the could basicly do anything that
> is needed to cover their tracks.

• Next message: bob@unix.worldcom.com: "8-bit characters in addresses"
• Previous message: Thomas Roessler: "Re: A (possibly) better way to get input integrity"
• In reply to: Gene Rackow: "Re: snooper watchers"
• Next in thread: Leo Bicknell: "Re: snooper watchers"