possible compromise or just misreading logs

[Garrett Wollman]

<<On Mon, 8 Dec 2003 08:04:28 -0800 (PST), Roger Marquis <marquis at roble.com> said:

> Wouldn't effect tripwire.  In addition to MD5 you'd need to spoof
> snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to
> spoof them for, at a minimum, the tripwire binary and its database
> file(s).

Trivial -- all you have to do is keep backup copies of all the files
replaced, and have the kernel redirect tripwire's access to the
originals.

-GAWollman