Hi... I've been wishing for a nice, largely automated, untamperable Debian auditing tool. Whenever I get paranoid about a box, I'd like some kind of check that didn't require vast amounts of forethought and effort. Basically, I started reading the tripwire documentation, stopped, and thought "Debian ought to make this *much* simpler". It seemed that if I wanted to use tripwire, I'd need to tell it every time I was installing a new package. I'd then need to update a record on read-only media... Debsums seems to help a little bit - you can expect to catch some less-clueful intruders with it, but it doesn't help in general. What I'd really like is this: A CDROM or boot floppy with a clean kernel, which downloads a set of clean md5sums from a trusted server, and checks those. It could then produce a list of modified configuration files, which one would need to check by hand. Extra snazzy features, which might or might not be worth the effort, would include: * Kernel "trojan scans" for all known nasty kernel code. * Debian security servers - these could keep a record of which config file changes you've okayed. They might also allow you to checksum customised kernels to make sure they haven't changed. Keeping these servers hyper-secure is, of course, an issue. The CD might have keys for known "public service" secutity servers, or sites could run their own and burn the CDs to recognise them. This facility might also be nifty for backups... * Heuristic analysis scripts to look for funny things in users' home directories, such as SETUID stuff and questionable aliases in .bashrc, for example (although this can never be perfect). Does a tool like this exist already? If not, what do people think of the idea? -- |> |= -+- |= |> | |- | |- |\ Peter Eckersley (pde@cs.mu.oz.au) http://www.cs.mu.oz.au/~pde for techno-leftie inspiration, take a look at http://www.computerbank.org.au/
Attachment:
pgpdKO_3STNqi.pgp
Description: PGP signature