On Fri, Dec 01, 2000 at 05:38:38PM -0600, Steve Langasek wrote: > Just to compare with what's possible on an rpm-using distribution, rpm stores > md5 checksums of all files from all packages in its database. If you have a > known clean version of this database (possibly from removable media), you can > boot from floppy, drop the clean database back on the drive, and use a known > good copy of rpm (again from the floppy) to verify what's changed. When you > have a machine that's taken a lot of coddling to get everything installed just > the way you want it, taking the machine off-line for a few hours to do this > can be a lot easier than a reinstall, and if done with care can be just as > effective at cleaning up after a break-in. If you spent a lot of time on the config, you probably would like some assurance that the config files haven't been changed. The rpm database can't do that. It also doesn't know if file have been added. It also doesn't check the boot sector. Did you recompile the kernel? tripwire or aide or somesuch will do a better job of checking than the rpm database will, but they're still detection tools rather than clean-up tools. The time required to do a clean reinstall of a well-documented machine is probably equivalent, if not less, than the time required to clean up properly. And the reinstall method is far more reliable unless you're *very confident* in your ability not to miss something. -- Mike Stone
Attachment:
pgppwapZCKPBZ.pgp
Description: PGP signature