[Integrit-users] Re: integrit
Brought to you by:
ecashin
Menu
▾
▴
[Integrit-users] Re: integrit
|
From: lumpy <lu...@9m...> - 2001-02-20 21:26:12
|
are you saying that youll never be checking any files that have an ownership other than root, then? Im on freebsd, but, the i think its a general rule. if you stat the file, and then do an open on it, theres that race, meaning you can swap between a fifo and a regular file. causing integrit to hang could allow the attacks to go on without it reporting anything. On 20 Feb 2001, Ed L Cashin wrote: > (Cc'ed to integrit-users list: http://sourceforge.net/mail/?group_id=15369) > > lumpy <lu...@9m...> writes: > > > appears to choke on fifos, allowing for a denial of service attack. > > to test, create a fifo (with mkfifo) and try to check its checksum. > > note that there is a race between your stat and your open. > > Thanks much for the feedback! > > Before trying to do a checksum, integrit tests to see whether the file > is a regular file or not. On my Linux 2.2.14 system, fifos are not > treated as regular files (and they shouldn't be, since they're fifos), > so such an attack would fail. What system are you running (CPU and > OS)? > > To address the issue of DOS, if such a DOS attack is happening, then > the machine has been compromised. If integrit suddenly does not run > correctly, that is a sign that the host has been compromised. This is > the same as with any similar product like aide or tripwire. > > If the host has been compromised, then the only safe way to check the > damage is unfortunately to mount the affected drive on a trusted host > and investigate there. Obviously, it's better to prevent breakins. > > BTW, fifos are not the only way to trip up integrit if you've got > root. You could also turn off the machine or allocate all of its > memory, or damage the filesystem, or load your own kernel modules > ... integrit and products like it are not designed to accomodate such > situations. They are not panaceas but specific tools to be used as > part of a comprehensive security policy. > > -- > --Ed Cashin integrit file verification system > ec...@co... http://integrit.sourceforge.net/ > |
