Gentoo Archives: gentoo-security

From: J Holder <trs-gml@××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Built in integrity?
Date: Mon, 09 Feb 2004 23:23:08
1 Ryan Voots said:
2 > On Mon, 9 Feb 2004 15:16:55 -0500
3 > "James Dennis" <james@×××××××××××××.com> wrote:
4 >
5 >> Right, I know it's not like tripwire. Just suggesting something to add
6 to a default install, but you're right about just updating those files
7 too.
8 >>
9 >> I think it'd be beneficial to come up with something that could be used
10 for built in integrity checking, but I'm not sure how to do it...
11 suggestions?
12 >>
13 >> -James
14 >
15 > IIRC whenever portage merges something in it keeps a list of the files
16 and their md5's in
17 >
18 > /var/db/pkg/<category>/<package>/CONTENTS
19 >
20 > could these md5's be used? maybe have portage make the files immutable,
21 and find some way to protect them from anyone but root, since if they've
22 got root i doubt they would be going to all the trouble of doing that,
23 unless they want to use your box as a hole for something else, maybe a
24 way to keep those hashes on some type of removable media? usb flash
25 devices and such anyone? maybe a floppy for just the binutils and such?
27 How about a bootable gentoo CD that can be used to verify packages on the
28 hard drive from a copy (preferably on CD or something) of the
29 /var/db/pkg/* directory? I imagine if the command line arguments to
30 specify the db path for portage exist, then it may already be workable
31 with a standard gentoo livecd.
33 Its an idea I have been toying with, but havent had any time to do any
34 research on. It would be a poor replacement for tripwire, but with the
35 right scripts to automate the db copy to secure media it might be an quick
36 and effective "out of the box" solution, and would be a lot more secure
37 than keeping md5s or copies of the files anywhere on the harddrive.
41 --
42 gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Built in integrity? Mark Guertin <guertin@××××××××××××××.com>
Re: [gentoo-security] Built in integrity? James Dennis <james@×××××××××××××.com>