Re: Debian audititing tool?

[Colin Phipps <cph@netcraft.com>]

On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote:
> [ Would you please stop those Ccs to me?]

If you don't want CC's then fix your mail headers:

Mail-Followup-To: Christian Kurz <shorty@debian.org>, debian-security@lists.debian.org

> On 00-12-21 Colin Phipps wrote:

> > > No, I tried to explain why it also won't work for the "less-careful"
> > > intruders, as they will use tools to hide their changes.
> 
> > Some intruders will be careless or ignorant and it'll catch them. Others 
> > will be smart and it won't. Assuming at least some hackers are careless it's 
> > still worthwhile, in the absence of a perfect solution.
> 
> Well and the one that you won't catch to much more damage to your system
> and create a higher risk then the one you catch. 

Agreed, if someone gets root on your system there's no way you can 
guarantee detecting it. But you can try. Whether md5sums is worthwhile 
I don't know, I guess you'd have to look for some statistics on 
rootkits and such...

> > No, you just sign all the packages on master.debian.org with this official 
> > key, and then mirror both the files and their signatures (as kernel.org do).
> 
> And who will create this key? Who will have the passphrase? Who will
> sign the packages?

Someone on master.debian.org, presumably the ftp admins.

> How do you make sure that the signatures get's not corrupted? 

apt would refuse to install stuff where the signature check failed.

-- 
Colin Phipps                            http://www.netcraft.com/