Re: Compromised system - still ok?

[Ognyan Kulev <ogi@fmi.uni-sofia.bg>]

Geoff Crompton wrote:
> So can you be really sure that there was no root kit that succesfully 
> exploited your system? Have you rebooted off a trusted kernel, and 
> cryptographically checked every single file involved in booting? (Such 
> as the grub/lilo, kernel, all modules, init), and visually or 
> cryptographically checked all the rc.* files and /etc/inittab?
> Of course, doing all this might mean that you avoid booting the rootkit 
> next time. But it could still be on the disk, waiting for when the 
> attacker tries to return!

A friend of mine is fan of Red Hat.  He regularly laughs at Debian because 
package content is not signed so I got interested in these matters.  I became 
aware of secure apt and dpkg-sig.

He said that after signed Fedora package is installed (by default, only signed 
packages are installed), you can boot from some CD and then check signatures of 
each file of each package.  Thus, only having key Red Hat's fingerprint, you can 
check your all installed packages.

What I'm asking is if this is possible with dpkg-sig?  If not, I think it's 
desirable feature.  I didn't find the answer in 
http://dpkg-sig.turmzimmer.net/faq.html -- "dpkg-sig is _very_ interesting for 
those of us who want to know where a package went, and when."  Verifying files 
of already installed package is not mentioned.

Another thing he doesn't like is that check is based on signed MD5 hash of 
content instead of based on signed content.  Is it true that signed MD5 is 
weaker than signed content?

Regards,
ogi