List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Ryan Voots said:
> On Mon, 9 Feb 2004 15:16:55 -0500
> "James Dennis" <james@...> wrote:
>> Right, I know it's not like tripwire. Just suggesting something to add
to a default install, but you're right about just updating those files
>> I think it'd be beneficial to come up with something that could be used
for built in integrity checking, but I'm not sure how to do it...
> IIRC whenever portage merges something in it keeps a list of the files
and their md5's in
> could these md5's be used? maybe have portage make the files immutable,
and find some way to protect them from anyone but root, since if they've
got root i doubt they would be going to all the trouble of doing that,
unless they want to use your box as a hole for something else, maybe a
way to keep those hashes on some type of removable media? usb flash
devices and such anyone? maybe a floppy for just the binutils and such?
How about a bootable gentoo CD that can be used to verify packages on the
hard drive from a copy (preferably on CD or something) of the
/var/db/pkg/* directory? I imagine if the command line arguments to
specify the db path for portage exist, then it may already be workable
with a standard gentoo livecd.
Its an idea I have been toying with, but havent had any time to do any
research on. It would be a poor replacement for tripwire, but with the
right scripts to automate the db copy to secure media it might be an quick
and effective "out of the box" solution, and would be a lot more secure
than keeping md5s or copies of the files anywhere on the harddrive.
email@example.com mailing list