On Jul 13, 2007, at 4:03 PM, Douglas Allan Tutty wrote:
On Fri, Jul 13, 2007 at 11:57:44AM -0700, David Brodbeck wrote:
* The exception is if tripwire or aid is used after booting from a
read-only medium (such as a live CD) and uses checksums that are also
retrieved from read-only media. But few people do it this way
because it's a lot of work to maintain and requires taking the
machine down to do a check.
Is there no way for a 'secure' host to check the md5sums on a remote
host via scp or something? The checksums could be on that secure host
(or on a CD in a drive on the secure host)?
Then you have to worry about sshd on the remote host being trojaned
so it feeds you what you expect to see, not the actual data.
If you're assuming a machine might have been compromised, you can't
trust *any* binaries on that machine, full stop. You also can't
trust its kernel, so running binaries off a CD without rebooting
doesn't help, either -- you may only *think* it's running your
binaries, while it's actually running a trojaned version.
This isn't to say that tools like tripwire don't have any value, but
it's important to recognize their limitations. If you run a local
copy of tripwire on a machine, if it fails you know the machine is
compromised. But if it succeeds, you still can't be sure the machine
is clean.
David Brodbeck
Information Technology Specialist 3
Computational Linguistics
University of Washington
