[Integrit-users] Re: integrit

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

(Cc'ed to integrit-users list: http://sourceforge.net/mail/?group_id=15369)

lumpy <lu...@9m...> writes:

> appears to choke on fifos, allowing for a denial of service attack.
> to test, create a fifo (with mkfifo) and try to check its checksum.
> note that there is a race between your stat and your open.

Thanks much for the feedback!  

Before trying to do a checksum, integrit tests to see whether the file
is a regular file or not.  On my Linux 2.2.14 system, fifos are not
treated as regular files (and they shouldn't be, since they're fifos),
so such an attack would fail.  What system are you running (CPU and
OS)?

To address the issue of DOS, if such a DOS attack is happening, then
the machine has been compromised.  If integrit suddenly does not run
correctly, that is a sign that the host has been compromised.  This is
the same as with any similar product like aide or tripwire.

If the host has been compromised, then the only safe way to check the
damage is unfortunately to mount the affected drive on a trusted host
and investigate there.  Obviously, it's better to prevent breakins.

BTW, fifos are not the only way to trip up integrit if you've got
root.  You could also turn off the machine or allocate all of its
memory, or damage the filesystem, or load your own kernel modules
... integrit and products like it are not designed to accomodate such
situations.  They are not panaceas but specific tools to be used as
part of a comprehensive security policy.

-- 
--Ed Cashin                    integrit file verification system
  ec...@co...          http://integrit.sourceforge.net/