Re: checking system integrity
>>>>> "Matt" == Matt Zimmerman <mdz@debian.org> writes:
Matt> If the system has been compromised, you can't even trust
Matt> executables on secure media, as you can't be sure that
Matt> you're actually executing what you think you're executing.
Good point.
So it seems the only secure method is to create a bootable CD-ROM with
tripwire and {public,private} key files installed, and boot from the
CD-ROM to conduct the check if you are paranoid enough to want to do
this. Otherwise, normal checks just use the files from the read-only
media.
Somebody else had an interesting point of integrating this somehow
into the package management system. I think this is interesting as
packages could come supplied with their own policy information and/or
database entries. Ideally this should be done so:
a) it does not conflict with the proposal to sign deb files.
b) minimise the chance that this data can be altered after it is
extracted by dpkg to the time tripwire (or whatever) can use it.
(ideally the data would remain signed until after dpkg extracted it,
but this might conflict with a).
Of course, if dpkg supported the scheme directly, then it could send
the data directly from the deb file to tripwire, so it doesn't have to
be stored anywhere in-between.
(it goes without saying that dpkg and/or required shared libraries
could be corrupted, so these should be checked by tripwire first)
--
Brian May <bam@debian.org>
Reply to: