[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

On 00-12-21 Peter Eckersley wrote:
> Basically, I started reading the tripwire documentation, stopped, and
> thought "Debian ought to make this *much* simpler".  It seemed that if I
> wanted to use tripwire, I'd need to tell it every time I was installing
> a new package.  I'd then need to update a record on read-only media...

Hm, looking at your statement above, I get the feeling that you have no
idea, what the purpose of tripwire really is. If you use it without a
read-only media to save the data too and rerunning it when you install
software on the machine, it won't be very helpful to track an intrusion.

> Debsums seems to help a little bit - you can expect to catch some less-clueful
> intruders with it, but it doesn't help in general.

debsums just uses md5sums which can be manipulated on the one hand and
on the other hand you modify binaries so that the md5sum will still be
the same. 

> What I'd really like is this:

> A CDROM or boot floppy with a clean kernel, which downloads a set of clean
> md5sums from a trusted server, and checks those.  It could then produce a list
> of modified configuration files, which one would need to check by hand.

So, how do you define clean kernel? Which kernel is really clean? How do
you define if a server is trustable and how do you make sure that no one
has put modified binaries on it?

> * Kernel "trojan scans" for all known nasty kernel code.

How do you want to do this with a source that is about 117M big? You
have any idea how long it will take? Also you could hide nasty code very
good in it and which will be hard to catch (This is an assumption by
myself, after having looked at some parts of the kernel-source.)

> * Debian security servers - these could keep a record of which config file
> 	changes you've okayed.  They might also allow you to checksum customised

What? Mirrors worldwide for your config-files? Use tripwire and you
don't need this.

> * Heuristic analysis scripts to look for funny things in users' home
>   directories, such as SETUID stuff and questionable aliases in .bashrc, for
> 	example (although this can never be perfect).

You want to scan user-dirs without telling them that you do this? In
Germany you would better be careful with that as otherwise you could go
into jail for doing this. Please think about respecting the privacy of
your users.

> Does a tool like this exist already?  If not, what do people think of the idea?

No and I think on the one hand you have bit to much paranoia (Do you
have two entrance doors, grilled windows. a complete list of everything
in your house/flat in a safe by a lawyer? If no, I would suggest that
you think about your ideas again.) and on the other hand you seem to
have missed the idea behind tools like tripwire.

Ein "Nein" ausgesprochen mit der tiefsten Überzeugung ist besser
und größer als ein "Ja" um zu gefallen oder noch schlimmer, um
Schwierigkeiten zu umgehen.
  -- Mahatma Gandhi

Reply to: