Re: Debian audititing tool?
On Thu, Dec 21, 2000 at 01:39:19PM +0100, Christian Kurz wrote:
> > Debsums seems to help a little bit - you can expect to catch some less-clueful
> > intruders with it, but it doesn't help in general.
> debsums just uses md5sums which can be manipulated on the one hand and
> on the other hand you modify binaries so that the md5sum will still be
> the same.
Of course plain md5 hashes are not very helpful. But we can keep MAC for
binaries. Tampering with MAC database is useless. Of coures we should be sure
that checking programm is not tampered, the only possible way to insure is to
run it from readonly media (CDROM). We should not store MAC key on system, it
should be computed from user entered passphrase.
We can avoid burning new CDROM each time we install or upgrade software. New
CDROM is only needed when we upgrade checking program, in any other case we
only need to update MAC database.
 Message Authentication Code. One of possible ways to compute MAC is
H(K,H(K,M)) where H is one-way hash function (MD5 or better SHA), K is key, M
is message (protected binary).