System cracked, a story
miah
jjohnson at sunrise-linux.com
Mon May 26 11:20:53 EDT 2003
Yes, it was dismissive. There are many different techniques for bypassing tripwire, the most obvious is just deleting the database, if the administrator hasn't made a backup, good luck. Samhain doesn't run through cron, its a daemon, everything it uses (configuration files, programs, etc) are cryptographically signed. Samhain can also detect changes in memory, will detect newly installed suid programs, and can run in stealth mode so that hax0rs don't even know you're using it.
Not to mention that samhain is 100% gpl and tripwire isn't. The 'gpl' version of tripwire isn't actively maintained and is a very very stripped down version of the commercial tripwire. It doesn't even support centralized databases (like samhain), cryptographically signed configuration files, stealth mode, kernel rootkit detection, or changes in memory.
But hey, if you want to run a piece of software to make you feel somewhat secure tripwire is for you.. If however you actually give a shit about your security you'll quit playing with tripwire and install a real file integrity system.
http://sourceforge.net/projects/tripwire/
Look at that, last updated March 2001, and I'm actually willing to bet its been longer than that..
-miah
On Mon, May 26, 2003 at 09:38:39AM -0400, Lars Kellogg-Stedman wrote:
> On Mon, 2003-05-26 at 09:21, miah wrote:
> > ugh, tripwire *laugh*
> >
> > You should all really look at samhain
>
> I'm not disagreeing with you -- I haven't actually looked at samhain in
> years, so I don't know how it looks these days -- but that was an
> awfully dismissive email without any substance to it.
>
> What does Samhain do that Tripwire doesn't? I'd be interested in a
> review, because I'll shortly be putting together a new system
> configuration for all the systems I support, and I'm going to need some
> form of filesystem integrity checker.
>
> And while we're on the topic, I'd encourage folks to take a look at
> Radmind, from the nice folks at umich.edu. In some ways it takes
> tripwire one step further -- if it discovers files that have changed, it
> will replace them with originals stored on a server. Also very useful
> for file distribution.
>
> Radmind is certainly not as full-featured as tripwire as far as checking
> files goes, but the tools are simple enough that I've found them useful
> in shell scripts for doing things like automatically creating Solaris
> package prototype files for perl modules installs.
>
> -- Lars
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
More information about the Discuss
mailing list