Date: Thu, 10 Dec 1998 18:01:02 -0500 From: Charles Reese <reese@chem.duke.edu> To: freebsd-security@FreeBSD.ORG Subject: tripwire was Re: append-only devices for logging Message-ID: <1.5.4.32.19981210230102.00743b60@chem.duke.edu>
next in thread | raw e-mail | index | archive | help
At 01:12 PM 12/10/98 -0600, you wrote: >> Jim Yuill wrote: >> I've been looking for an append-only device for logging, which a remote >> hacker (with root access) can not erase or alter. Other than a >> line-printer, are there any such devices that actually work with Unix? > >On Thu, 10 Dec 1998, Mark Newton wrote: >> Files fit the bill on FreeBSD. Set your securelevel to 2 and >> apply the "sappnd" flag (using chflags) to any files you wish >> to set as "append-only". Not even root can remove the append-only >> flag unless first bringing the system to a lower security level, >> which requires physical access to the console for single user mode >> operation. > >For the truly paranoid: How many of you audit your system scripts on >reboot? If I wanted to erase my tracks (and thought you might not know I >was there or wanted to hide how long I'd been there), I could tamper with >scripts to kill logs next bringup. <PLUG>Tripwire(tm) is nearly perfect >for watching rc.* changes and such.</PLUG> Many of us just take the >machine down, go '-s', blindly run our single-user-mode-admin-scripts, >and go multiuser. > >This does have better logging bandwidth than serial/parallel port >logging, though. (^_^) Jy@ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > Can tripwire be modified to compare two databases rather then one data base and the current files? I ask because I monitor some systems remotely and I would like to be able to automatically generate a tripwire database on the remote system, ftp it to my local site and compare it with a previously created database that I have stored here on read-only media. It is not possible for me to use read-only media on the remote machine. Cheers Charlie Reese One Unix to Rule them all, One Resolver to Find them, One IP to Name them all, In the Zone that Binds them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1.5.4.32.19981210230102.00743b60>