Re: Compromised system - still ok?
Geoff Crompton wrote:
So can you be really sure that there was no root kit that succesfully
exploited your system? Have you rebooted off a trusted kernel, and
cryptographically checked every single file involved in booting? (Such
as the grub/lilo, kernel, all modules, init), and visually or
cryptographically checked all the rc.* files and /etc/inittab?
Of course, doing all this might mean that you avoid booting the rootkit
next time. But it could still be on the disk, waiting for when the
attacker tries to return!
A friend of mine is fan of Red Hat. He regularly laughs at Debian because
package content is not signed so I got interested in these matters. I became
aware of secure apt and dpkg-sig.
He said that after signed Fedora package is installed (by default, only signed
packages are installed), you can boot from some CD and then check signatures of
each file of each package. Thus, only having key Red Hat's fingerprint, you can
check your all installed packages.
What I'm asking is if this is possible with dpkg-sig? If not, I think it's
desirable feature. I didn't find the answer in
http://dpkg-sig.turmzimmer.net/faq.html -- "dpkg-sig is _very_ interesting for
those of us who want to know where a package went, and when." Verifying files
of already installed package is not mentioned.
Another thing he doesn't like is that check is based on signed MD5 hash of
content instead of based on signed content. Is it true that signed MD5 is
weaker than signed content?