[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Re: Security Thread Revival] integrity checking
- To: ma-linux @ tux . org
- Subject: Re: [Re: Security Thread Revival] integrity checking
- From: Peter W <peterw @ usa . net>
- Date: 29 Dec 00 13:00:35 EST
- Sender: owner-ma-linux @ tux . org
Chuck Moss <mossc@MOSSC.COM> wrote:
> Yeah I use tripwire a lot now.
> Doesn't help with an audit after the fact.
Sure it does! You can know exactly what was changed.
> What I am thinking about is some kind of rescue floppy/CD that has a
> database of chksums or something like that. Maybe I can pull them out of
> the original RPMS and build a table or something.
> The trick is to build a good database and have a controlled clean
> independent boot.
Right. If your box is thoroughly cracked, you can't trust the scheduled
tripwire runs. A tripwire/AIDE/etc. cron job is better than nothing, but far
from perfect.
> Anybody done this yet?
Few things:
A rescue CD + floppy is tough, as you can't hold much data on a floppy. Jay
Beale wrote an article on using Tripwire, and setting up a second config for a
smaller, floppy-based database:
http://securityportal.com/topnews/tripwire20000711.html
[I've had better luck with floppy tripwire databases for Solaris, but I expect
that's because Solaris includes so little software. ;-)]
A better option would be having a Zip/LS-120 or both a CD and a CD-R[W] drive,
so you could boot off the CD and use the Zip/LS-120/CD-R[W] to hold a full
integrity-checking database.
RPM verification: Sweth Chandramouli (a DC-area open systems guru) put
together a Perl script that uses RPM's --verify option to check package
integrity. There were a few things I wanted to add, but didn't. :-( If you
rely heavily|exclusively on RPM packages, this is a great way to check things
out if you failed to set up a tripwire/AIDE/etc. database. Not perfect, as 1)
your configuration files are sure to change from the standard package, and
this can't discern your changes from an attacker's changes 2) obviously does
no good for non-RPM software 3) wouldn't catch the addition of new software
that didn't conflict with RPMs, e.g. SUID root shells. Sweth's script should
be on the Bastille-linux-discuss archives,
http://lists.sourceforge.net/mailman/listinfo/bastille-linux-discuss, but I'm
having trouble reaching that site at the moment.
AIDE is a tripwire-like app that is truly Free Software:
http://www.cs.tut.fi/~rammer/aide.html
Two things about AIDE bug me:
- configuration doesn't seem as flexible as Tripwire, e.g.
having it check /foo but not /foo/bar or anything under /foo/bar
- it doesn't monitor directory stat() info, e.g. an attacker could
chmod a+w /etc and AIDE wouldn't catch it
-Peter
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1