Thank you, I had forgotten debsums.
Sadly, debsums doesn't work for such basic packages as binutils and sysklogd.
Sent from my Verizon Wireless BlackBerry
-Original Message-
From: "Boyd Stephen Smith Jr."
Date: Mon, 8 Nov 2010 20:39:58
To:
Subject: Re: How do I keep tripwire db in sync with apt-get updates?
In , Josh Narins
wrote:
>Installing packages, updating packages, removing packages.
>
>These basic operations result in lots of tripwire noise. Was the
>change to /usr/sbin/zic part of a legitimate update, or a
>super-secret-stealth attack?
>
>At this point I wish I could md5sum every binary and library file
>managed by the OS and compare that to some authoritative source.
You may be interested in debsums, then. You could possibly use it to
determine if a file (but, not a conffile) updated by a package upgrade /
installation is the one shipped from Debian or an attacker taking advantage of
the window between package upgrade and tripwire scan.
In theory, it could be possible for dpkg/apt to update the tripwire database
automatically. I recommend against it, since then subverting dpkg/apt allows
an attacker to subvert tripwire. Because of different focuses, I think the
tripwire code is much harder to subvert than the dpkg/apt code.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
b...@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/
