Jim Popovitch <[EMAIL PROTECTED]> writes: > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>> The difference is that: >> a) These all run on the live system they are trying to protect, > Unless you configure them to only write to an offline mount point that > is normally ro and only rw through external effort.... which is in > Tripwire's best practices. That doesn't necessarily help. It makes the attacker's task much more difficult, but it's still possible to binary-patch a running kernel in various ways to hide files from everything on the system, including tripwire. You have to boot into a known-clean kernel in order to get a fully trustable integrity check. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
