l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Aug 13 23:19

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Verify Ubuntu files
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Verify Ubuntu files

Quoting Bill Broadley (bill@cse.ucdavis.edu):

> Assuming you took reasonable precautions, maintained physical security
> and had zero or just ssh port open you should be fine.  

I'll bet buggy Web apps are common vectors.  ;->

[kernel-based rootkit implementations prevail]

> So local tripwire, local package database, or even a remote 
> network mount is basically useless.

Doing any IDS check from known-good boot media is obviously far better
(where one can afford the downtime), and the only way any integrity
check of the boot chain can possibly hope to be reliable.

> Booting known good media is much better, although even then it's
> pretty trivial to subvert.

Oh, do tell.

> Of course it's relatively trivial to hack a machine, not change a single 
> binary, and open up a back door.

I assume you mean that _if_ you have cracked a machine, it's easy to
avoid changing the binaries, and yet open a back door.  However, you
must make a critical change to system configuration to make that
persist, which change then is part of the forensic trail.

> One nice thing about CDR is that it auto updates, every patch happens
> securely, much better than running tripwire locally where step #3 for
> hackign a system is to find tripwire and include your backdoors when
> it's run so that the next time the admin runs a patch and approves 500
> file update that the backdoor will be included.

That would be a rather careless sysadmin who doesn't detect the fact
that the TW policy file has been altered.  All of the thing's files, you
may recall, are crypto-signed, right down to the reports -- and that
would be pretty pointless if you didn't always (at minimum) use its
siggen utility from read-only media to check them.  Even at that, it's 
theoretically possible that a subverted runtime system (not rebooted to
known-good media) could jigger the siggen checks to make it lie and
report the expected hash values, but I'll believe that when I see it.

(FWIW, I don't like Tripwire:  Too slow, far too much hassle to admin,
too crufty; but I'm glad to give credit for what they did thoughtfully.)
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.