> On 31-Mar-2015, at 1:22 pm, Gareth Nelson <[email protected]> wrote: > > Before anyone says it, i'd be more than willing to work on the code for > this myself but would like feedback on the idea. > > Essentially as follows: > > 1 - A sysctl variable stores a public key that can only be written to once > at startup > 2 - All executables on the system must be signed with that public key > 3 - Any executable not signed is essentially chmod -x > > Of course that's the simple basic idea, there are obvious performance > issues to consider and this system would have to be optional, but for truly > paranoid installs it could be a wonderful feature. > > More complex policies are easily imagined, but for a first version, simply > refusing to run executables without signing seems worthwhile. > > The performance issues could be partly addressed by only signing hashes of > the executables, the unsigned hashes would be stored all in one file that > is supplied with the install sets and signed the first time this feature is > enabled. Signing can take place on another machine and only the signature > file copied over, or signing can take place locally with the private key > later removed - or simply left in place for slightly lower levels of > security. >
Packages can be signed using signify and the signature can be checked at the time of installation. So there is already a way to check that the installed packages are "valid". Though I am not sure if the different mirrors have a toto-pkg.pub key - so unclear about how to do this if installing from a mirror. It seems an additional check before execute will provide only an incremental benefit. Perhaps if an intruder breaks into the machine and replaces packages with his own malicious content. But then the intruder could overwrite the sysctl.pub_key too.
