[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How reliable is "debsums"?

On Thu, Sep 26, 2002 at 09:54:28AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> On Wed, Sep 25, 2002 at 03:59:05PM -0400, Matt Zimmerman wrote:
> > 
> > The same applies for any intrusion detection tool, including the ones you
> > mention below.
> (...)
> 	Not quite exact.

You took this sentence out of context.  The preceding paragraph was:

> > If you want to use debsums as an intrusion detection tool (that is not
> > its sole purpose), then you must save a trusted copy of the dpkg
> > database (/var/lib/dpkg) and run a trusted copy of debsums against that
> > within a trusted execution environment.

And that absolutely _does_ (yes, quite exact) apply to all such tools.
Whether they are looking for previously calculated checksums, or for rootkit
signatures, if their database is not trusted, then it could have been
completely disabled by an attacker at any point in the past without your

> 	Integrit yes. Tiger yes/no. As a matter of fact tiger has:
> 1.- a module to check against known vulnerable cheksums (not updated for
> Debian)
> 2.- a module that uses tripwire
> 3.- a module that uses debsums
> 	User can run whichever he likes best. Just FYI.

Sounds nice.  I tried tiger for a short time, but received far too many
notifications about things which were not wrong, for Debian or for many
other systems.

 - mdz

Reply to: