[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: System integrity...

> 2) Config files are not secured - as these are modified by the sysop _after_
>    the md5sum is created.  Again, tripwire can help here.
How about a package like dpkg-repack that generates the md5sums for ALL
registered (package) config files and therefore updates the md5sums database.
This could be run whenever the administrator changes some config files.

> 2) Using tripwire is a hasstle - particularily for people who are either
>    simple users, or people managing a large number of not-so-critical
> 	machines.  You really need to have _physical_ access to move a tripwire
> 	database to read-only media, and the database requires updating after
> 	every system upgrade.  And I'm sure most people running unstable wouldn't
> 	keep up with that strict regime.
That would also be problem with my idea of a dpkg-based config integrity check.
 
> What I propose is to extend the security of Debian.  I do not propose an
> "ultimate security solution", but simply a method to increase the security
> debian offers to users.  The proposal is as follows:
That's exactly what my initial idea was (but I was unable to express my
thoughts however :-) ). I would appreciate the implementation of this proposal
and I might be able to help.

Rene
Reply to: