Hosting Provided By

Re: security idea - bootable CD to check your system

From: Russ Allbery <rra(at)debian.org>
Date: Mon Jun 25 2007 - 11:23:21 EDT

Jim Popovitch <yahoo@jimpop.com> writes:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:

>> The difference is that:

>> a) These all run on the live system they are trying to protect,

> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort.... which is in
> Tripwire's best practices.

That doesn't necessarily help. It makes the attacker's task much more difficult, but it's still possible to binary-patch a running kernel in various ways to hide files from everything on the system, including tripwire.

You have to boot into a known-clean kernel in order to get a fully trustable integrity check.

-- 
Russ Allbery (
rra(at)debian.org)               <
http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Mon Jun 25 11:24:04 2007

This message: [ Message body ]
Next message: paddy(at)panici.net: "Re: security idea - bootable CD to check your system"
Previous message: Karol Lewandowski: "security.d.o packages for etch built on sarge"
In reply to: Jim Popovitch: "Re: security idea - bootable CD to check your system"
Next in thread: paddy(at)panici.net: "Re: security idea - bootable CD to check your system"
Reply: paddy(at)panici.net: "Re: security idea - bootable CD to check your system"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Jun 25 2007 - 11:30:03 EDT