Tripwire checksums

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
        Tripwire generates checksum for file contents and stores the
checksum in the database. The main functionality is to detect any
changes made to that file. But i think there is a case where the
intruder may get away with it.  The scenario is ,

Day 1 - File contents is X - check sum is A
Day 2 - File contents is Y - check sum is B

The intruder may still revert the contents of file to "X" and set
checksum to "A" and still get away with it.

This may be applicable for configuration files .. for eg., if on day 2
a host is denied access via /etc/hosts.deny file.

Mostly, i guess it is a gap in my understanding rather than the
software. I would appreciate if anyone can clarify this.


Re: Tripwire checksums

manik wrote:
Quoted text here. Click to load it
It all depends on when the new checksum is calculated and saved. If the
file is reverted between when it was updated and when the new checksum
is calculated and stored, then the change would be undetected. If I
modify /etc/hosts.deny and don't compute a new checksum immediately,
then the next time a scan is run the file will be flagged as altered.

Assume that I've setup the system to run a scan at 0400. If I update the
file during the day and don't save a new checksum and the file is
reverted to its original contents then I won't get a warning message
when the scanner runs at 0400 the following morning. The missing warning
I was expecting is the indicator that something happened to the file.

Phil Sherman

Site Timeline