-----Original Message----- From: Jonathan Hutchins
... I did a CRC check against ALL of the system files. They're fine. I checked RPM before I used it to check the rest of the system.
RPM's a great tool for a lot of things, including verifying system integrity. ...
It's VERY hard to hack an RPM system in such a way as to conceal tampering with files within the packages. Not impossible, but hard in a way that the low-level simplicity of rootedoor tends to contraindicate.
On this note, other than CRC checking and MD5 checksum options, is there any kind of an equivalent with Debian for this type of check? I'm guessing no. Although, it might be possible to build an rpm database of installed software on a Debian box and then use that as an additional check. Of course there's nothing, stopping a cunning cracker from building an RPM database, setting the timestamp and copying it onto the cracked system. Something possible with Jonathon's box too. Jonathon, was your check done with a local copy of the RPM database, or an archived known good copy? Certainly, if I were a cracker, installing a new copy of the RPM database would be part of my initial and every subsequent loading of software onto a cracked system. After all, to be successful at cracking it best to remain undetected.
Brian
On Monday 28 February 2005 11:22 am, Brian Densmore wrote:
Of course there's nothing, stopping a cunning cracker from building an RPM database, setting the timestamp and copying it onto the cracked system.
I think the database stores the original MD5 signature of the files in the package. You could get around it by installing your own RPM of hacked files, but then the signiture of the package itself would indicate it wasn't from a known good source.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brian Densmore wrote: <snip> | On this note, other than CRC checking and MD5 checksum options, | is there any kind of an equivalent with Debian for this type of | check? I'm guessing no <snip />
debsig-verify
http://www.linuxmafia.com/faq/Debian/package-signing.html
Chris - -- I digitally sign my emails. If you see an attachment with .asc, then that means your email client doesn't support PGP digital signatures. http://www.gnupg.org/(en)/documentation/faqs.html#q1.1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chris Bier wrote: | Brian Densmore wrote: | <snip> | | On this note, other than CRC checking and MD5 checksum options, | | is there any kind of an equivalent with Debian for this type of | | check? I'm guessing no | <snip /> | | debsig-verify | | http://www.linuxmafia.com/faq/Debian/package-signing.html | | Chris
also dpkg-sig
- -- I digitally sign my emails. If you see an attachment with .asc, then that means your email client doesn't support PGP digital signatures. http://www.gnupg.org/(en)/documentation/faqs.html#q1.1
-
Brian Densmore -
Chris Bier -
Jonathan Hutchins