[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromised system - still ok?



Geoff Crompton wrote:
So can you be really sure that there was no root kit that succesfully exploited your system? Have you rebooted off a trusted kernel, and cryptographically checked every single file involved in booting? (Such as the grub/lilo, kernel, all modules, init), and visually or cryptographically checked all the rc.* files and /etc/inittab? Of course, doing all this might mean that you avoid booting the rootkit next time. But it could still be on the disk, waiting for when the attacker tries to return!

A friend of mine is fan of Red Hat. He regularly laughs at Debian because package content is not signed so I got interested in these matters. I became aware of secure apt and dpkg-sig.

He said that after signed Fedora package is installed (by default, only signed packages are installed), you can boot from some CD and then check signatures of each file of each package. Thus, only having key Red Hat's fingerprint, you can check your all installed packages.

What I'm asking is if this is possible with dpkg-sig? If not, I think it's desirable feature. I didn't find the answer in http://dpkg-sig.turmzimmer.net/faq.html -- "dpkg-sig is _very_ interesting for those of us who want to know where a package went, and when." Verifying files of already installed package is not mentioned.

Another thing he doesn't like is that check is based on signed MD5 hash of content instead of based on signed content. Is it true that signed MD5 is weaker than signed content?

Regards,
ogi



Reply to: