Re: How reliable is "debsums"?

To: debian-security@lists.debian.org
Subject: Re: How reliable is "debsums"?
From: Matt Zimmerman <mdz@debian.org>
Date: Wed, 25 Sep 2002 15:59:05 -0400
Message-id: <[🔎] 20020925195905.GD19471@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1032944955.647.7.camel@bobo>
References: <[🔎] 1032944955.647.7.camel@bobo>

On Wed, Sep 25, 2002 at 11:09:14AM +0200, Kristian wrote:

> I suppose that if someone managed to get into a machine, he could simply
> regenerate the md5 checksums after modifying "ls, ps, top and friends".

If you want to use debsums as an intrusion detection tool (that is not its
sole purpose), then you must save a trusted copy of the dpkg database
(/var/lib/dpkg) and run a trusted copy of debsums against that within a
trusted execution environment.

The same applies for any intrusion detection tool, including the ones you
mention below.

> Just another question: could anyone suggest a way to automate checks with
> debsums? And why shoul I use debsums instead of simply running stuff like
> tiger or integrit? I don't get it.

debsums attempts to detect files which are different from the versions which
were originally installed from .deb archives.  Stuff like tiger and integrit
attempt to detect files which are different from the versions which were
installed at some point in the past.

-- 
 - mdz

Reply to:

Follow-Ups:
- Security updates without DSA?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: How reliable is "debsums"?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- How reliable is "debsums"?
  - From: Kristian <kristian@hitech-sanita.it>

Prev by Date: Re: apache access log
Next by Date: Security updates without DSA?
Previous by thread: Re: How reliable is "debsums"?
Next by thread: Security updates without DSA?
Index(es):
- Date
- Thread