Re: How reliable is "debsums"?
On Wed, Sep 25, 2002 at 11:09:14AM +0200, Kristian wrote:
> I suppose that if someone managed to get into a machine, he could simply
> regenerate the md5 checksums after modifying "ls, ps, top and friends".
If you want to use debsums as an intrusion detection tool (that is not its
sole purpose), then you must save a trusted copy of the dpkg database
(/var/lib/dpkg) and run a trusted copy of debsums against that within a
trusted execution environment.
The same applies for any intrusion detection tool, including the ones you
> Just another question: could anyone suggest a way to automate checks with
> debsums? And why shoul I use debsums instead of simply running stuff like
> tiger or integrit? I don't get it.
debsums attempts to detect files which are different from the versions which
were originally installed from .deb archives. Stuff like tiger and integrit
attempt to detect files which are different from the versions which were
installed at some point in the past.