Bugtraq mailing list archives

Re: snooper watchers

From: peter () haywire DIALix COM (Peter Wemm)
Date: Tue, 28 Feb 1995 10:22:39 +0800 (WST)


On Sun, 26 Feb 1995, Timothy Jones wrote:

Date: Sun, 26 Feb 1995 23:33:44 -0500
From: Timothy Jones <tim () cs columbia edu>
To: bugtraq () crimelab com
Subject: Re: snooper watchers 

Has anyone built a system sharing a dual-ported disk between the server
(checkee) and another machine that runs something like tripwire (checker)?
Obviously, the checker shouldn't be attached to the 'net...

Tim


Shouldn't be _that_ hard with conventional parts these days.  Have a 
seperate, secure, non-networked computer with two scsi controllers.

Have the second computer use a different scsi host ID (7 is normal.. 
change this to (say) 6) and connect the two scsi controllers to the same 
scsi bus.

get the second host to read-only mount the first computer's root disk 
somwhere and check it.   This shouln't cause too many problems providing 
your root disk on the primary host is pretty static (which is the whole 
point of what you're checking for, isn't it?).

As long as the second host never executes anything from the first 
computer's root disk, and has all it's disks on a seperate scsi cable and 
controller, then it should be invulnerable to all but physical attacks.

If your second computer gives the first computer's root disk a clean bill 
of health, then you can be a lot more sure of the validity of the primary 
host's own checks.

Naturally, the second host should check other areas you're interested in 
too, like maybe /usr/bin and friends.  The second host should keep the 
disks unmounted when not in use so that the disk meta-data is not hopelessly 
confused in the checking host's kernel, and is not quietly kept in a 
buffer cache somewhere.

The best part, is that a hacker/cracker cannot tell if the host they are 
trying to break is being watched like this..  No matter how clever their 
trojans are, they will be detected.  If you're really paranoid, you could 
even do a binary compare of the file systems, but that'd probably be going a 
bit overboard.

-Peter

Gene Rackow writes:

If I turn the paranoid mode up a notch or two here..
What is to stop someone from mounting another filesystem over the top of
your tripwire database and crontab entries.  Replace the mount and df
commands to not show the new mount point.  Now you continue to believe
that you are a happy camper, all safe and secure.

You really need to do a seperation of the checkee from the checkor.
If someone has root access on the machine, the could basicly do anything that
is needed to cover their tracks.

Current thread:

Re: snooper watchers, (continued)
- - Re: snooper watchers Gene Rackow (Feb 25)
    - Re: snooper watchers Timothy Newsham (Feb 25)
    - Re: snooper watchers Darren Reed (Feb 25)
    - Re: snooper watchers Dr. Frederick B. Cohen (Feb 25)
- Re: snooper watchers smb () research att com (Feb 26)
- Re: snooper watchers der Mouse (Feb 26)
- Re: snooper watchers Timothy Jones (Feb 26)
  - Re: snooper watchers Leo Bicknell (Feb 26)
    - Re: snooper watchers Christopher Samuel (Feb 27)
  - No Subject Nicholas West (Feb 26)
  - Re: snooper watchers Peter Wemm (Feb 27)