| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4239D38F.5050408@davewking.com> From: davefd at davewking.com (Dave King) Subject: Microsoft GhostBuster Opinions Valdis.Kletnieks@...edu wrote: >On Thu, 17 Mar 2005 11:28:55 MST, Dave King said: > > > >> Also, this is not just like tripwire. If the kernel is compromised >>and reporting false data to tripwire then tripwire can run along merrily >>thinking every thing's great. This is why booting to a trusted kernel >>is important for the process. Exploiting Software by Hoglund and McGraw >>has a discussion on these types of rootkits. Tripwire, however does >>great at detecting other sorts of intrusions. >> >> > >Actually, the "prior art" *is* tripwire. If you run tripwire on the live >system, then run it while booted from a CD, and they produce different >results, you have a problem. > >And that's what they're doing by doing a 'dir /a /s' on the live system, >then booting the Windows PE CD, and looking for differences.... > > Ok, this is true. I guess what I meant by what I said was running tripwire as a cron job daily or whatever on a system without booting to a known good kernel could yeild incorrect results if the kernel has been compromised. A similar result can be had using tripwire on the system then booting to a known good kernel and running it again. Laters, Dave King CISSP
Powered by blists - more mailing lists