Re: Debian audititing tool?
On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:
> > > > Hence my comment. "Less-clueful" intruders won't modify
> > > > /var/lib/dpkg/info/package.md5sums ; debsums will catch these people,
> > > > but will not help if the cracker is smart.
> > >
> > > No, as it would say that if this md5sums will be wide spread, someone
> > > will write a tool to modify binaries without modifying the md5sum and
> > > then you have the problem again...
This is not possible, that's the point of using md5sums in this case, it's
computationally infeasible to construct a different file with the same
md5sum.
> > > ...or even create a tool that replaces the
> > > md5sum in the file /var/lib/dpkg/info/package.md5sum with a new one
Which is why you would have to get the list of md5sums from a trusted source.
> No, I tried to explain why it also won't work for the "less-careful"
> intruders, as they will use tools to hide their changes.
Some intruders will be careless or ignorant and it'll catch them. Others
will be smart and it won't. Assuming at least some hackers are careless it's
still worthwhile, in the absence of a perfect solution.
> > if I were trying to do mirror authentication, I'd ship apt with an
> > official .debian.org public key, and then ask .debian.org whether a
> > the public key presented by a mirror was kosher. There are other ways
> > of doing it...
>
> puiblic key? GnuPG or PGP? Or do you mean ssh or what kind of public key
> do you think of? Also this would impose that everyone downloads package
> from only one .debian.org server and this would generate a lot of
> traffic and resources on this machine. Or otherwise you have to convince
> every admin of .debian.org to generate a public key and install them all
> when you install apt.
No, you just sign all the packages on master.debian.org with this official
key, and then mirror both the files and their signatures (as kernel.org do).
--
Colin Phipps http://www.netcraft.com/
Reply to: