What if I delete Tripwire for Servers keys, and then replace policy, config and database files with my own signed versions that tell Tripwire software to check nothing?
Each Tripwire for Servers report details when the database was last updated, providing a quick benchmark detailing if or when the data files have been replaced. In order to replace these files, an attacker requires root or administrator level privileges and must know where Tripwire for Servers has been installed. On a properly secured system, gaining this level of access takes time and leaves physical evidence behind for Tripwire for Servers to detect prior to the system being compromised. Methods for reducing the risk of an intruder being able to replace a Tripwire for Servers installation include: • Hiding the application by renaming configuration, data, and binary files and installing to a hidden location. • Installing Tripwire for Servers to a read-only partition such as a CD-ROM.
Related Questions
- What if I delete Tripwire for Servers keys, and then replace policy, config and database files with my own signed versions that tell Tripwire software to check nothing?
- The MD5 Sums for My Policy/Config/Tripwire Executable Files at Installation are different than what my Latest Report tells me. How could this happen?
- Is it possible to exclude from the delete policy some special custom tables not present in the original database schema?
