Re: System integrity...
> 2) Config files are not secured - as these are modified by the sysop _after_
> the md5sum is created. Again, tripwire can help here.
How about a package like dpkg-repack that generates the md5sums for ALL
registered (package) config files and therefore updates the md5sums database.
This could be run whenever the administrator changes some config files.
> 2) Using tripwire is a hasstle - particularily for people who are either
> simple users, or people managing a large number of not-so-critical
> machines. You really need to have _physical_ access to move a tripwire
> database to read-only media, and the database requires updating after
> every system upgrade. And I'm sure most people running unstable wouldn't
> keep up with that strict regime.
That would also be problem with my idea of a dpkg-based config integrity check.
> What I propose is to extend the security of Debian. I do not propose an
> "ultimate security solution", but simply a method to increase the security
> debian offers to users. The proposal is as follows:
That's exactly what my initial idea was (but I was unable to express my
thoughts however :-) ). I would appreciate the implementation of this proposal
and I might be able to help.