Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Andrea Barisani <lcars@g.o>
To: Michel Wilson <michel@×××××××.net>
Cc: Andrew Gaffney <agaffney@×××××××××××.com>, gentoo-security@l.g.o
Subject: Re: [gentoo-security] tripwire-ish portage scanner
Date: Thu, 25 Mar 2004 23:55:07
Message-Id: 20040325235447.GO20380@sole.infis.univ.trieste.it
In Reply to: Re: [gentoo-security] tripwire-ish portage scanner by Michel Wilson
1 On Thu, Mar 25, 2004 at 09:16:05PM +0100, Michel Wilson wrote:
2 > On Thu, Mar 25, 2004 at 02:03:45PM -0600, Andrew Gaffney wrote:
3 > > Tom Hosiawa wrote:
4 > > >What about qpkq being compromised itself. As I understand it, in
5 > > >tripwire, cryptographic keys are used for the policy file.
6 > > >
7 > > >Couldn't an attacker mess around with which files qpkq scans?
8 > >
9 > > That's another good reason for a customer portage-integrated solution.
10 > >
11 > Oh yeah, that's a little 'detail' I forgot, yes :P
12 > The integrity scanner itself can indeed be compromised. There isn't much
13 > we can do about this, it's a chicken-and-egg problem. One solution would
14 > be a read-only medium to store the scanner on, or a copy of gpg + the
15 > signature of the scanner. But that is kind of problematic. And what
16 > about an attacker that installs a rootkit so that the scanned files
17 > appear to be intact when opened by the scanner, but not when opened by
18 > the kernel?
19 > To make a long story short, one can never be sure. My opinion is that
20 > something along the lines of Tripwire is secure enough in most cases.
21 > Tripwire can also be fooled by replacing the binary itself. If the
22 > attacker does it right, no-one will notice. I.e. same file size, only skip
23 > scanning files that are compromised so that there will still be false
24 > alerts upon upgrades, etc.
25 >
26 > Michel Wilson.
27
28 I suggest that you look at samhain:
29
30 http://la-samhna.de/samhain
31
32 It's an excellent file integrity and host-based intrusion detection system
33 with advanced features that solves the "chicken-and-egg" problem along with
34 other cool gizmos :).
35
36
37 Bye
38
39 --
40 Andrea Barisani <lcars@g.o> .*.
41 Gentoo Linux Infrastructure Developer V
42 ( )
43 GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
44 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
45
46 --
47 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] tripwire-ish portage scanner Andrew Gaffney <agaffney@×××××××××××.com>
Report Message
Find on MARC Find on Google Groups