| 1 |
The problem with any kind of live cd is that, being gentoo users, we |
| 2 |
like to customize our systems. We'd have to have a cd each day or |
| 3 |
something. Seems like there must be something a little easier but |
| 4 |
equally useful. |
| 5 |
-James |
| 6 |
|
| 7 |
On Feb 9, 2004, at 6:12 PM, J Holder wrote: |
| 8 |
|
| 9 |
> Ryan Voots said: |
| 10 |
>> On Mon, 9 Feb 2004 15:16:55 -0500 |
| 11 |
>> "James Dennis" <james@×××××××××××××.com> wrote: |
| 12 |
>> |
| 13 |
>>> Right, I know it's not like tripwire. Just suggesting something to |
| 14 |
>>> add |
| 15 |
> to a default install, but you're right about just updating those files |
| 16 |
> too. |
| 17 |
>>> |
| 18 |
>>> I think it'd be beneficial to come up with something that could be |
| 19 |
>>> used |
| 20 |
> for built in integrity checking, but I'm not sure how to do it... |
| 21 |
> suggestions? |
| 22 |
>>> |
| 23 |
>>> -James |
| 24 |
>> |
| 25 |
>> IIRC whenever portage merges something in it keeps a list of the files |
| 26 |
> and their md5's in |
| 27 |
>> |
| 28 |
>> /var/db/pkg/<category>/<package>/CONTENTS |
| 29 |
>> |
| 30 |
>> could these md5's be used? maybe have portage make the files |
| 31 |
>> immutable, |
| 32 |
> and find some way to protect them from anyone but root, since if |
| 33 |
> they've |
| 34 |
> got root i doubt they would be going to all the trouble of doing that, |
| 35 |
> unless they want to use your box as a hole for something else, maybe a |
| 36 |
> way to keep those hashes on some type of removable media? usb flash |
| 37 |
> devices and such anyone? maybe a floppy for just the binutils and such? |
| 38 |
> |
| 39 |
> How about a bootable gentoo CD that can be used to verify packages on |
| 40 |
> the |
| 41 |
> hard drive from a copy (preferably on CD or something) of the |
| 42 |
> /var/db/pkg/* directory? I imagine if the command line arguments to |
| 43 |
> specify the db path for portage exist, then it may already be workable |
| 44 |
> with a standard gentoo livecd. |
| 45 |
> |
| 46 |
> Its an idea I have been toying with, but havent had any time to do any |
| 47 |
> research on. It would be a poor replacement for tripwire, but with the |
| 48 |
> right scripts to automate the db copy to secure media it might be an |
| 49 |
> quick |
| 50 |
> and effective "out of the box" solution, and would be a lot more secure |
| 51 |
> than keeping md5s or copies of the files anywhere on the harddrive. |
| 52 |
> |
| 53 |
> |
| 54 |
> |
| 55 |
> -- |
| 56 |
> gentoo-security@g.o mailing list |
| 57 |
> |
| 58 |
> |
| 59 |
|
| 60 |
|
| 61 |
-- |
| 62 |
gentoo-security@g.o mailing list |
Archives