On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote: > Kinda off-topic but nowhere in the discussion the question of checking > already installed files was adressed and it should be asked:
md5sums and signatures are most useful in the context of installation. Post-installation, you cannot be guaranteed that an intrusion rootkit doesn't compromise the md5sum files themselves. Using the installed *.md5sum files to check the integrity gives you a false sense of security unless those *.md5sum files are signed or CRC'd as well. Regardless, using md5sums of selected files does not identify files that are not part of that set. A true IDS is needed, such as aide, tripwire, or cfengine to detect post-installation intrusion. Tie in aide or tripwire database checks/updates with the apt.conf "PostInst" option in addition to a daily cronjon to ensure the database is updated in a timely manner. For install-time integrity checking, GnuPG signatures or the existing chain of md5sum and signed Release files should be sufficient without adding undue complexity. Integration of debsigs would be a welcome addition to dpkg. Folling it's creation, does anyone have a case study or success story hailing the usefulness of debsigs? -- Chad Walstrom <[EMAIL PROTECTED]> http://www.wookimus.net/ assert(expired(knowledge)); /* core dump */
pgpNJcsrrHvdf.pgp
Description: PGP signature
