1 |
Ryan Voots said: |
2 |
> On Mon, 9 Feb 2004 15:16:55 -0500 |
3 |
> "James Dennis" <james@×××××××××××××.com> wrote: |
4 |
> |
5 |
>> Right, I know it's not like tripwire. Just suggesting something to add |
6 |
to a default install, but you're right about just updating those files |
7 |
too. |
8 |
>> |
9 |
>> I think it'd be beneficial to come up with something that could be used |
10 |
for built in integrity checking, but I'm not sure how to do it... |
11 |
suggestions? |
12 |
>> |
13 |
>> -James |
14 |
> |
15 |
> IIRC whenever portage merges something in it keeps a list of the files |
16 |
and their md5's in |
17 |
> |
18 |
> /var/db/pkg/<category>/<package>/CONTENTS |
19 |
> |
20 |
> could these md5's be used? maybe have portage make the files immutable, |
21 |
and find some way to protect them from anyone but root, since if they've |
22 |
got root i doubt they would be going to all the trouble of doing that, |
23 |
unless they want to use your box as a hole for something else, maybe a |
24 |
way to keep those hashes on some type of removable media? usb flash |
25 |
devices and such anyone? maybe a floppy for just the binutils and such? |
26 |
|
27 |
How about a bootable gentoo CD that can be used to verify packages on the |
28 |
hard drive from a copy (preferably on CD or something) of the |
29 |
/var/db/pkg/* directory? I imagine if the command line arguments to |
30 |
specify the db path for portage exist, then it may already be workable |
31 |
with a standard gentoo livecd. |
32 |
|
33 |
Its an idea I have been toying with, but havent had any time to do any |
34 |
research on. It would be a poor replacement for tripwire, but with the |
35 |
right scripts to automate the db copy to secure media it might be an quick |
36 |
and effective "out of the box" solution, and would be a lot more secure |
37 |
than keeping md5s or copies of the files anywhere on the harddrive. |
38 |
|
39 |
|
40 |
|
41 |
-- |
42 |
gentoo-security@g.o mailing list |