[buug] Convert Linux Gateway to OpenBSD

f.johan.beisser jan at caustic.org
Thu Oct 24 12:52:50 PDT 2002


On 24 Oct 2002, Ian Zimmerman wrote:

> jan> care to explain a little more?
>
> Have aide/tripwire/integrit actually run on one of the internal
> machines, and nfs-mount the checked filesytems?  That way you don't
> have to worry about the binaries themselves being replaced, at least
> as long as the firewall can be trusted.

ah, ok. yes, that would work fine, except that you're using NFS. in this
case, why not nfs mount the tripwire binary from the trusted system, and
keep copies of the databases as needed. less likely to see changes in the
binary that way, and fewer chances of the files you're worried about being
viewed by an attacker (just as bad, in some cases, as them being
modified).

> Puts a huge load on the ethernet though, probably.  Again, I never
> actually did it.

depends on the speed of the ethernet. i've found NFSing source code (i
have several different architectures at home, and nfs with lndir does
wonders for this situation) hasn't been much of an overhead at all. of
course, my network at home is more complex than i care to have it right
now.

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan at caustic.org
	"Champagne for my real friends, real pain for
	  my sham friends." -- Tom Waits




More information about the buug mailing list