Tripwire checksums - Security

This is a discussion on Tripwire checksums - Security ; Hello, Tripwire generates checksum for file contents and stores the checksum in the database. The main functionality is to detect any changes made to that file. But i think there is a case where the intruder may get away with ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Tripwire checksums

  1. Tripwire checksums

    Hello,
    Tripwire generates checksum for file contents and stores the
    checksum in the database. The main functionality is to detect any
    changes made to that file. But i think there is a case where the
    intruder may get away with it. The scenario is ,

    Day 1 - File contents is X - check sum is A
    Day 2 - File contents is Y - check sum is B

    The intruder may still revert the contents of file to "X" and set
    checksum to "A" and still get away with it.

    This may be applicable for configuration files .. for eg., if on day 2
    a host is denied access via /etc/hosts.deny file.

    Mostly, i guess it is a gap in my understanding rather than the
    software. I would appreciate if anyone can clarify this.

    Cheers
    Manik


  2. Re: Tripwire checksums

    manik wrote:
    > Hello,
    > Tripwire generates checksum for file contents and stores the
    > checksum in the database. The main functionality is to detect any
    > changes made to that file. But i think there is a case where the
    > intruder may get away with it. The scenario is ,
    >
    > Day 1 - File contents is X - check sum is A
    > Day 2 - File contents is Y - check sum is B
    >
    > The intruder may still revert the contents of file to "X" and set
    > checksum to "A" and still get away with it.
    >
    > This may be applicable for configuration files .. for eg., if on day 2
    > a host is denied access via /etc/hosts.deny file.
    >
    > Mostly, i guess it is a gap in my understanding rather than the
    > software. I would appreciate if anyone can clarify this.
    >
    > Cheers
    > Manik
    >

    It all depends on when the new checksum is calculated and saved. If the
    file is reverted between when it was updated and when the new checksum
    is calculated and stored, then the change would be undetected. If I
    modify /etc/hosts.deny and don't compute a new checksum immediately,
    then the next time a scan is run the file will be flagged as altered.

    Assume that I've setup the system to run a scan at 0400. If I update the
    file during the day and don't save a new checksum and the file is
    reverted to its original contents then I won't get a warning message
    when the scanner runs at 0400 the following morning. The missing warning
    I was expecting is the indicator that something happened to the file.

    Phil Sherman

+ Reply to Thread