> I have the impression there are projects already, that would do to the > job with some tweaking (tripwire, ..) > Maybe, although I can't see how you get round the problem that you need to update the checksum database every time you install new or updated software.
Ok, I see your problem: you want some other source, not your system, to hold the values (checksums) that ensure integrity. But you do not mind that it is online (not available when your system is not connected to the Internet) So when you run a security-check, and new software has been added, you might as well define a route to a place to hold the newly-to-be-calculated checksums (CD-ROM/USB stick, outside server where you can post/read, gmail-filesystem, etc). A worthwhile ambition, where I still feel it'll be as hard to make it debian-only as not. Another point is that configuration files play a big part in the security of your system and a debian-only package checksum will not be able to capture the state of locally changed configurations. For example if your fstab says "mount this partitiion read-only" then you would like to be notified by your check if that has been changed (maliciously). Stephan
andy > Plus, you might as well bundle the check with a backup-system, since > you are already looking at your system at rest, and no services are > running to worry about. > > Stephan > > On 6/24/07, andy baxter <[EMAIL PROTECTED]> wrote: >> Jim Popovitch wrote: >> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote: >> > >> >> The difference is that: >> >> >> >> a) These all run on the live system they are trying to protect, >> >> >> > >> > Unless you configure them to only write to an offline mount point that >> > is normally ro and only rw through external effort.... which is in >> > Tripwire's best practices. >> > >> > -Jim P. >> > >> OK, this would work. The problem for me is that it would involve turning >> the media r/w and updating the database every time I run apt-get to >> install security updates, which I do once a week. If I was running a >> large server farm and I was looking after it full time, this would be >> OK, but my situation is that I have two machines, both for personal use, >> and I don't want to have to devote my entire life to looking after the >> security on them. The machines are a laptop for general use, and a >> server which I use for testing and demonstrating small web-based >> projects I do for people on a voluntary basis. They are connected to the >> internet by ADSL, with only the server set to accept incoming >> connections. >> >> The other night, I had my laptop switched on and a sound file I had >> never heard before played through the speaker (it said 'hello' in >> someone else's voice). I'm assuming I've been cracked and it was >> someone's idea of a joke. I've halted the server in case that was their >> way in, and I'm planning to reinstall both my machines this week, but >> also looking for a more long term solution which I could put some time >> into now and save myself and anyone else who wants to use it a lot of >> trouble in the future. >> >> What I'm looking for is a solution where I can do security updates every >> week, as my first line of defence, but then have a fallback way of >> detecting intrusions which I could run maybe every month, which doesn't >> need too much work to keep on top of it once it's been set up. I can >> probably find ways of improving my security using existing tools, but it >> occurred to me that the system I described would be a pretty watertight >> check on whether a system has been cracked, which is what I'm looking >> for. >> >> andy baxter. >> >> >> -- >> To UNSUBSCRIBE, email to [EMAIL PROTECTED] >> with a subject of "unsubscribe". Trouble? Contact >> [EMAIL PROTECTED] >> >> > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
-- Stephan Wehner -> http://stephan.sugarmotor.org -> http://www.thrackle.org -> http://www.buckmaster.ca -> http://www.trafficlife.com -> http://stephansmap.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
