> Does apt/dpkg keep track of permissions and file sizes of the files which
> belong to a package? If so, how can this information be retrieved so as
> to compare to existing files on the file system?
I looked into a similar issue a while ago, and as far as I can
tell, apt does not do this.
There are several utilities that will continuously monitor your
system, and report changes in file sizes, permissions, etc -- they
are "host-based intrusion detection" systems. Where I work, we
use the Beltane/Samhain/Yule suite. "Tripwire" is also a good one,
and is packaged for Debian.
<rant, severity=minor>
What I actually was looking for was a Debian-aware intrusion
detection system -- I had a problem where, when I did package updates
on all our workstations, the IDS would report all these file changes,
and there didn't seem to be an alternative to manually OK-ing all of
them, which is tedious and potentially error-prone -- if an attack
occurs on update day, I am likely to miss it in all the spurious IDS
traffic. It seemed to me that a sensible option would be to have an
IDS that would notice when files had been changed by apt, and not
report those changes, just fold them into the database of the system
state. It's probably sufficient for my purposes to have a rule that
says "if the file has changed, but is controlled by a package, and
changed within <x> seconds of that package being updated, update teh
database to reflect this change, and do not report it."
Obviously, the down-side of this is that adding any kind of
do-not-report hook to the IDS is a potential exploit, since
it could presumably be spoofed, but it seemed like a positive
cost-benefit balance to me.
I never did find such a tool. Some IDSs have a lot of hooks
for custom scripts, so it may be possible to roll one's own, but
I didn't get that far with it.
</rant>
-- A.
--
Andrew Reid / rei...@bellatlantic.net
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201102130831.55440.rei...@bellatlantic.net
