Re: checking system integrity

To: debian-devel@lists.debian.org
Subject: Re: checking system integrity
From: Manoj Srivastava <srivasta@debian.org>
Date: 10 Feb 2001 01:00:32 -0600
Message-id: <[🔎] 877l2zkoof.fsf@glaurung.green-gryphon.com>
In-reply-to: <[🔎] 20010209145717.B18878@alcor.net> (Matt Zimmerman's message of "Fri, 9 Feb 2001 14:57:18 -0500")
References: <[🔎] 84snlo7j8a.fsf@snoopy.apana.org.au> <[🔎] Pine.LNX.4.21.0102091330510.15441-100000@gemini.faredge.com.au> <[🔎] 20010208225226.G5273@wookimus.net> <[🔎] 84ae7w77jk.fsf@snoopy.apana.org.au> <[🔎] 87zofvanfq.fsf@glaurung.green-gryphon.com> <[🔎] 20010209145717.B18878@alcor.net>

>>"Matt" == Matt Zimmerman <mdz@debian.org> writes:

 >> My solution to this eternal who shall watch the watcher
 >> problem is to md5sum the database and the binary, and detach-sign
 >> that file.  I verify the database and binary at random times
 >> (basically, whenever I think about it).

 Matt> Verifying the database is the easy part; it can be done
 Matt> completely offline, on an isolated system.  The hard part is
 Matt> verifying the system against the database, with a definitive
 Matt> answer as to whether anything has changed _or not_.

	Umm. I now have a database whose md5sum i have verified, and I
 also have a md5sum binary I am sure of (since it is on the floppy
 with the keys and all); I verify md5sum and tripwire on my machine;
 run this known good tripwire and md5sum to test and see if this
 system has changed or not. 

	What am I missing here? What is the hard part?

	manoj
-- 
The Gurus of Unix Meeting of Minds (GUMM) takes place Wednesday, April
1, 2076 (check THAT in your perpetual calendar program), 14 feet above
the ground directly in front of the Milpitas Gumps.  Members will grep
each other by the hand (after intro), yacc a lot, smoke filtered
chroots in pipes, chown with forks, use the wc (unless uuclean), fseek
nice zombie processes, strip, and sleep, but not, we hope, od.  Three
days will be devoted to discussion of the ramifications of whodo.  Two
seconds have been allotted for a complete rundown of all the user-
friendly features of Unix.  Seminars include "Everything You Know is
Wrong", led by Tom Kempson, "Batman or Cat:man?" led by Richie Dennis
"cc C?  Si!  Si!" led by Kerwin Bernighan, and "Document Unix, Are You
Kidding?" led by Jan Yeats.  No Reader Service No. is necessary
because all GUGUs (Gurus of Unix Group of Users) already know
everything we could tell them.  -- "Get GUMMed," Dr. Dobb's Journal,
June '84
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: checking system integrity
  - From: Matt Zimmerman <mdz@debian.org>

References:
- checking system integrity
  - From: Brian May <bam@debian.org>
- Re: checking system integrity
  - From: Sam Johnston <samj@faredge.com.au>
- Re: checking system integrity
  - From: "Chad C. Walstrom" <chewie@wookimus.net>
- Re: checking system integrity
  - From: Brian May <bam@debian.org>
- Re: checking system integrity
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: checking system integrity
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Expires: headers for Packages.gz, Sources.gz
Next by Date: Re: Expires: headers for Packages.gz, Sources.gz
Previous by thread: Re: checking system integrity
Next by thread: Re: checking system integrity
Index(es):
- Date
- Thread