| 1 |
Ryan Voots said: |
| 2 |
> On Mon, 9 Feb 2004 15:16:55 -0500 |
| 3 |
> "James Dennis" <james@×××××××××××××.com> wrote: |
| 4 |
> |
| 5 |
>> Right, I know it's not like tripwire. Just suggesting something to add |
| 6 |
to a default install, but you're right about just updating those files |
| 7 |
too. |
| 8 |
>> |
| 9 |
>> I think it'd be beneficial to come up with something that could be used |
| 10 |
for built in integrity checking, but I'm not sure how to do it... |
| 11 |
suggestions? |
| 12 |
>> |
| 13 |
>> -James |
| 14 |
> |
| 15 |
> IIRC whenever portage merges something in it keeps a list of the files |
| 16 |
and their md5's in |
| 17 |
> |
| 18 |
> /var/db/pkg/<category>/<package>/CONTENTS |
| 19 |
> |
| 20 |
> could these md5's be used? maybe have portage make the files immutable, |
| 21 |
and find some way to protect them from anyone but root, since if they've |
| 22 |
got root i doubt they would be going to all the trouble of doing that, |
| 23 |
unless they want to use your box as a hole for something else, maybe a |
| 24 |
way to keep those hashes on some type of removable media? usb flash |
| 25 |
devices and such anyone? maybe a floppy for just the binutils and such? |
| 26 |
|
| 27 |
How about a bootable gentoo CD that can be used to verify packages on the |
| 28 |
hard drive from a copy (preferably on CD or something) of the |
| 29 |
/var/db/pkg/* directory? I imagine if the command line arguments to |
| 30 |
specify the db path for portage exist, then it may already be workable |
| 31 |
with a standard gentoo livecd. |
| 32 |
|
| 33 |
Its an idea I have been toying with, but havent had any time to do any |
| 34 |
research on. It would be a poor replacement for tripwire, but with the |
| 35 |
right scripts to automate the db copy to secure media it might be an quick |
| 36 |
and effective "out of the box" solution, and would be a lot more secure |
| 37 |
than keeping md5s or copies of the files anywhere on the harddrive. |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
gentoo-security@g.o mailing list |
Archives