tripwire bypass

What would a hacker have to do to bypass tripwire?
To what effect do the recent vulnerabilities of MD5 have on the security of tripwire?
This is from an educational point of view of course.
Who is Participating?
The attacker would need access to the box while it is in a vulnerable state, prior to it being secured. So servers should be built in a clean environment before being given public access.

Once secure it is hard, however, if a managment server is used, the attacker would most likely target that instead so similar measures are needed on the managment/log collector, the reason is that if the first box is breached, the changes are recorded and logs sent to managment, therefor if management is not secure, you cannot trust that those logs have not been interfed with.

most people forget the mangment/log collectors.

If implemented correctly, it is very difficult, specially if logs are sent to another device and those logs are secured.
replace a file with his/her own one which has the same md5 checksum
recent found md5 weakness makes finding equal hashes simpler
Simpler, but still not simple. Plus Tripwire does both MD5 and SHA-1 by default, which makes the problem damn near impoissible.

An easier way to attack the problem is to subvert the Tripwire database (if stored locally).
.. or replace modules in the running kernel
.. or use own modules in kernel
.. or use a program in memory
Well, none is really a vulnerability of TripWire, but it bypasses TripWire, at least as long as there is no reboot
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.