Date: Sat, 12 Dec 1998 19:35:38 +0100 From: Eivind Eklund <eivind@yes.no> To: Charles Reese <reese@chem.duke.edu>, freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging Message-ID: <19981212193538.T5444@follo.net> In-Reply-To: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu>; from Charles Reese on Sat, Dec 12, 1998 at 09:18:49AM -0500 References: <1.5.4.32.19981212141849.00754fb8@chem.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 12, 1998 at 09:18:49AM -0500, Charles Reese wrote: > At 02:45 PM 12/12/98 +0100, you wrote: > >On Fri, Dec 11, 1998 at 07:58:22AM -0500, Charles Reese wrote: >>> let me know when I've been compromised. As the tripwire approach (MD5 etc.) >>> seems to be pretty solid it seems to boil down to how do you prevent >>> tampering with it and at the same time keep the machine maintainable without >>> having to go to single user mode? >> >> Answer: You put it in the kernel (including code to transfer it to >> another machine, with some algorithm to make the transfer >> non-modifiable - e.g, shared secret and hash), make _only_ the kernel >> immutable using the schg flag, and go to single user mode when you >> need to upgrade the kernel. > > Sound like a great idea to me, the programming is over my head though. Do > we have a volunteer? :-) If you're attempting to volunteer me: Not right now, at any rate. I could point somebody in the right directions WRT how to the kernel side of it, though. If somebody need pointers for how to do the recieving and verification stuff in the other end, they're probably not the right person for the task. And, alas, shared secrets will not work :-( On breaking root on a box, the attacker will have access to the kernel image. It will be necessary with a full implementation of some form of public key system - to get this into the standard distribution, I believe it would be best to go with the government's "Digital Signature Standard". DSS is described at http://www.itl.nist.gov/div897/pubs/fip186.htm Note that using MD5 as the 'secure hash function' might not be a good idea for this application. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981212193538.T5444>