On Sat, 31 Jul 1999, Crispin Cowan wrote:
> John Summerfield wrote:
>
> > Without an audit trail, how would you know?
> >
> > Some versions of BIND had a bug allowed hackers root access. Other than
> > BIND mysteriously crashing, you'd never know it happened. Someone could
> > have made of with a copy of some sensitive information without you every
> > knowing it had been accessed: with an audit trail, you might at least
> > discover it had been read by someone who shouldn't.
>
> While it is true that you need *some* kind of host-based intrusion detection to
> know that your host has been secure, it is not true that you need Orange Book
> Auditing[tm] to do intrusion detection. Counter-example: if you used Tripwire
> to periodically check the integrity of your host, then you could detect
> intrusions without Orange Book style auditing.
>
> Caveat: I mean use Tripwire *properly*. Don't bother whining about the myriad
> ways it can be used improperly, that's not the point :-)
>
> Crispin
[snip]
Tripwire, while very useful, can detect a *changed* filed that's being monitored, how would it detect a passive intrusion? Most buffer overflows, the bind remote exploit being no exception, simply spawn a setuid root shell. This is one that's running, not one in /tmp or otherwise. In fact, no files would be created or modified (that i'm aware of).
Now, if someone tried to backdoor the system, then tripwire (as well as a check using find for setuid bins) would be quite effective...
Judging by the "new mail" indicator, I think John is about to say something to the effect of what i'm sending now...
*clink clink*
-macker
-- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe linux-security-request redhat com < /dev/null