On Sun, Feb 27, 2005 at 09:28:36PM -0600, Don Erickson wrote:
I'm just saying what I would do if it were my box. I wouldn't base any decision as to the integrity of the box on the output of the utilites on the box itself.
Bingo.
I understand and appreciate the value of the hash information, both from the rpm database and from tripwire.
What neither covers (well, maybe tripwire would, I don't know, I guess it depends on how it's used) are changes to files that have been *added*. ie, you might be able to track changes in ls or ps or other known system binaries, but if an executable file were added elsewhere to the filesystem, would you know it just by looking at a list of checksums of known files? You wouldn't, because you wouldn't have a checksum of its predecessor file. You'd have to have a completely comprehensive look at *all* files, and the rpm verify doesn't give that.
So, have you looked for files set to be executable elsewhere in the filesystem, especially files owned by root or most especially files setuid root hidden in some out of the way directory? maybe you have, I don't recall reading that, though.
And I feel your pain about the lack of control you have over the cgi on the box, but a cgi program that gives user-level executable access to a setuid-root binary is all it would take.
I've started to put cgi behind proxies to try to give myself another layer between me and the bad guys.
Oh, and about booting the thing into KNOPPIX, why not? Mail the guys a CD and tell 'em to stick it in and fire it up. If they aren't up to configuring the network themselves, write yourself a script to do it and put it on the disk (from the knoppix-cheatcodes.txt file):
From Version 2.1 and up, a file called "knoppix.sh", if located in the toplevel KNOPPIX directory on CD, will also be executed at startup. This makes ist easier to create customized versions without having to change anything on the compressed filesystem KNOPPIX/KNOPPIX.
Put a copy of (one of) your ssh public key(s) on there and you're all set.