[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian audititing tool?


I've been wishing for a nice, largely automated, untamperable Debian auditing
tool.  Whenever I get paranoid about a box, I'd like some kind of check that
didn't require vast amounts of forethought and effort.

Basically, I started reading the tripwire documentation, stopped, and
thought "Debian ought to make this *much* simpler".  It seemed that if I
wanted to use tripwire, I'd need to tell it every time I was installing
a new package.  I'd then need to update a record on read-only media...

Debsums seems to help a little bit - you can expect to catch some less-clueful
intruders with it, but it doesn't help in general.

What I'd really like is this:

A CDROM or boot floppy with a clean kernel, which downloads a set of clean
md5sums from a trusted server, and checks those.  It could then produce a list
of modified configuration files, which one would need to check by hand.

Extra snazzy features, which might or might not be worth the effort, would

* Kernel "trojan scans" for all known nasty kernel code.

* Debian security servers - these could keep a record of which config file
	changes you've okayed.  They might also allow you to checksum customised
	kernels to make sure they haven't changed.  Keeping these servers hyper-secure
	is, of course, an issue.  The CD might have keys for known "public service"
	secutity servers, or sites could run their own and burn the CDs to recognise
	them.  This facility might also be nifty for backups...

* Heuristic analysis scripts to look for funny things in users' home
  directories, such as SETUID stuff and questionable aliases in .bashrc, for
	example (although this can never be perfect).

Does a tool like this exist already?  If not, what do people think of the idea?


|> |= -+- |= |>
|  |-  |  |- |\

Peter Eckersley
for techno-leftie inspiration, take a look at

Attachment: pgpdKO_3STNqi.pgp
Description: PGP signature

Reply to: