[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security idea - bootable CD to check your system

I've tried using debsums - however it's not really a good check on your system because the program and the data it's using both come from the system you are trying to check, so could be compromised. Also, it seems to miss out many important packages - e.g. here's the standard error output from a recent run of debsums on my server: 

whale:~# cat debsums.err
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bsdutils
debsums: no md5sums for console-data
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for hotplug
debsums: no md5sums for initscripts
debsums: no md5sums for kernel-image-2.4.27-2-586tsc
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: no md5sums for libgdbm3
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for lynx
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for modutils
debsums: no md5sums for mount
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: no md5sums for ssh
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux

What do you mean by 'fingerprint updates?'

andy.

Daniel van Eeden wrote:

Andy,

Sounds like you're looking for debsums[1]? A CD/DVD is possible but
doesn't allow fingerprint updates. I know that certain Sony MemoryStick
are equipped with an rw/ro switch. So a cardreader or usb thumbdrive
makes it posible to only use 1 medium instead of two and it still has
the read-only security.

[1] http://packages.debian.org/stable/admin/debsums

Cheers,

Daniel van Eeden

On Sun, 2007-06-24 at 15:23 +0100, andy baxter wrote:

hello,
I am writing to ask what you think of the following idea? Something that I would like to see is a bootable CDROM which can check all the packages on a debian system. My idea is that it would work roughly as follows: 

- You halt the machine and put in a bootable CD, then reboot.
- The machine boots from the CD, which is read-only and known to be good.
- It boots into a minimal linux system which will do nothing but the following: 
- ask you whether you are booting for the first or second time.
- Read a floppy or other removable media to find configuration information for the machine being checked. - Read the host machine's hard drive to find a list of all installed packages. - Connect once to the network to retrieve a list of files and their checksums for each of these packages from a debian server. This list could be saved either to a designated partition on the hard drive, or to removable media. 
- Disconnect from the network.
- Reboot itself.
- The second time round, don't connect to the network.
- instead, check all the binaries (and optionally config files) against the checksums. - generate some kind of easy to read report on screen, or else save it to removable media.
Do you think this would work (i.e. be a good check on whether your system has been compromised), and is it worth doing? I'm not sure if I have the skills to take on something like this all by myself, but I would be willing to put some time in to help where I can if anyone else wants to have a go at it.
Alternatively, if people don't think it's worth your while developing something like this, where should I start looking to try to put it together myself, and is there anyone at debian who might be able to help me? 

yours,

andy baxter.
Reply to: