Re: snooper watchers

[newsham () aloha net (Timothy Newsham)]

> If I turn the paranoid mode up a notch or two here..
> What is to stop someone from mounting another filesystem over the top of
> your tripwire database and crontab entries.  Replace the mount and df
> commands to not show the new mount point.  Now you continue to believe
> that you are a happy camper, all safe and secure.

Its ok to be paranoid.  This is a valid concern.  Automated checking
still has its merits.  Manual checking is very tedious.  If its tedious
it most people wont do it regularly.  Automatic checking is not failsafe.
By mixing automated and manual checking you can have a little convenience
as well as security.  A sophisticated attack may not be noticed immediately
but eventually will be.  A less sophisticated attack will be noticed almost
immediately.

Btw an easier attack is to just modify the script that regularly runs
tripwire, usually run from cron.

> You really need to do a seperation of the checkee from the checkor.
> If someone has root access on the machine, the could basicly do anything that
> is needed to cover their tracks.

This is why manual checks should still be done, but this is not why
automatic checking should be given up.

                                     Tim N.