Re: Debian audititing tool?
I would agree with your comments except the scan of the Linux Kernel.
You can use computer fornesics to scan the kernal against familiar trojan
and virus patterns realitively quickly and at least identify problem
code. It would be up to you to review to see if it is good or bad code.
The scans where something like 5 minutes for a 5GB drive. It is just
scan the 1s and 0s.
Dan
---- Christian Kurz <shorty@debian.org> wrote:
> On 00-12-21 Peter Eckersley wrote:
> > Basically, I started reading the tripwire documentation, stopped,
> and
> > thought "Debian ought to make this *much* simpler". It seemed that
> if I
> > wanted to use tripwire, I'd need to tell it every time I was installing
> > a new package. I'd then need to update a record on read-only media...
>
> Hm, looking at your statement above, I get the feeling that you have
> no
> idea, what the purpose of tripwire really is. If you use it without
> a
> read-only media to save the data too and rerunning it when you install
> software on the machine, it won't be very helpful to track an intrusion.
>
> > Debsums seems to help a little bit - you can expect to catch some
> less-clueful
> > intruders with it, but it doesn't help in general.
>
> debsums just uses md5sums which can be manipulated on the one hand
> and
> on the other hand you modify binaries so that the md5sum will still
> be
> the same.
>
> > What I'd really like is this:
>
> > A CDROM or boot floppy with a clean kernel, which downloads a set
> of clean
> > md5sums from a trusted server, and checks those. It could then produce
> a list
> > of modified configuration files, which one would need to check by
> hand.
>
> So, how do you define clean kernel? Which kernel is really clean? How
> do
> you define if a server is trustable and how do you make sure that no
> one
> has put modified binaries on it?
>
> > * Kernel "trojan scans" for all known nasty kernel code.
>
> How do you want to do this with a source that is about 117M big? You
> have any idea how long it will take? Also you could hide nasty code
> very
> good in it and which will be hard to catch (This is an assumption by
> myself, after having looked at some parts of the kernel-source.)
>
> > * Debian security servers - these could keep a record of which config
> file
> > changes you've okayed. They might also allow you to checksum
> customised
>
> What? Mirrors worldwide for your config-files? Use tripwire and you
> don't need this.
>
> > * Heuristic analysis scripts to look for funny things in users' home
> > directories, such as SETUID stuff and questionable aliases in .bashrc,
> for
> > example (although this can never be perfect).
>
> You want to scan user-dirs without telling them that you do this? In
> Germany you would better be careful with that as otherwise you could
> go
> into jail for doing this. Please think about respecting the privacy
> of
> your users.
>
> > Does a tool like this exist already? If not, what do people think
> of the idea?
>
> No and I think on the one hand you have bit to much paranoia (Do you
> have two entrance doors, grilled windows. a complete list of everything
> in your house/flat in a safe by a lawyer? If no, I would suggest that
> you think about your ideas again.) and on the other hand you seem to
> have missed the idea behind tools like tripwire.
>
> Ciao
> Christian
> --
> Ein "Nein" ausgesprochen mit der tiefsten Überzeugung ist besser
> und größer als ein "Ja" um zu gefallen oder noch schlimmer, um
> Schwierigkeiten zu umgehen.
> -- Mahatma Gandhi
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
___________________________________________________________________
To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com
Reply to: