Thank you, I had forgotten debsums. Sadly, debsums doesn't work for such basic packages as binutils and sysklogd.
Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Boyd Stephen Smith Jr." <b...@iguanasuicide.net> Date: Mon, 8 Nov 2010 20:39:58 To: <debian-user@lists.debian.org> Subject: Re: How do I keep tripwire db in sync with apt-get updates? In <aanlkti=aniqfz-1e_lw3oztw9d6p5eey1bxu3becn...@mail.gmail.com>, Josh Narins wrote: >Installing packages, updating packages, removing packages. > >These basic operations result in lots of tripwire noise. Was the >change to /usr/sbin/zic part of a legitimate update, or a >super-secret-stealth attack? > >At this point I wish I could md5sum every binary and library file >managed by the OS and compare that to some authoritative source. You may be interested in debsums, then. You could possibly use it to determine if a file (but, not a conffile) updated by a package upgrade / installation is the one shipped from Debian or an attacker taking advantage of the window between package upgrade and tripwire scan. In theory, it could be possible for dpkg/apt to update the tripwire database automatically. I recommend against it, since then subverting dpkg/apt allows an attacker to subvert tripwire. Because of different focuses, I think the tripwire code is much harder to subvert than the dpkg/apt code. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
