The difference is that:
a) These all run on the live system they are trying to protect, so in
principle they can be neutralised at the same time as the system is
attacked, the same as any other binary. E.g. like the way attackers
modify system programs like 'find' to hide files they have installed.
b) Their databases need to be updated every time you update your system,
whereas this approach would update itself automatically whenever you
downloaded a new package or update.
andy.
Felix Windt wrote:
Tripwire, integrit and aide all perform something similar to what you
described.
-----Original Message-----
From: andy baxter [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 24, 2007 7:23 AM
To: [email protected]
Subject: security idea - bootable CD to check your system
hello,
I am writing to ask what you think of the following idea?
Something that I would like to see is a bootable CDROM which
can check all the packages on a debian system. My idea is
that it would work roughly as follows:
- You halt the machine and put in a bootable CD, then reboot.
- The machine boots from the CD, which is read-only and known
to be good.
- It boots into a minimal linux system which will do nothing but the
following:
- ask you whether you are booting for the first or second time.
- Read a floppy or other removable media to find
configuration information for the machine being checked.
- Read the host machine's hard drive to find a list of all
installed packages.
- Connect once to the network to retrieve a list of files and
their checksums for each of these packages from a debian
server. This list could be saved either to a designated
partition on the hard drive, or to removable media.
- Disconnect from the network.
- Reboot itself.
- The second time round, don't connect to the network.
- instead, check all the binaries (and optionally config
files) against the checksums.
- generate some kind of easy to read report on screen, or
else save it to removable media.
Do you think this would work (i.e. be a good check on whether
your system has been compromised), and is it worth doing? I'm
not sure if I have the skills to take on something like this
all by myself, but I would be willing to put some time in to
help where I can if anyone else wants to have a go at it.
Alternatively, if people don't think it's worth your while
developing something like this, where should I start looking
to try to put it together myself, and is there anyone at
debian who might be able to help me?
yours,
andy baxter.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
