Re: security idea - bootable CD to check your system

[andy baxter <andy@earthsong.free-online.co.uk>]

The difference is that:

a) These all run on the live system they are trying to protect, so in 
principle they can be neutralised at the same time as the system is 
attacked, the same as any other binary. E.g. like the way attackers 
modify system programs like 'find' to hide files they have installed.
b) Their databases need to be updated every time you update your system, 
whereas this approach would update itself automatically whenever you 
downloaded a new package or update.

andy.

Felix Windt wrote:
> Tripwire, integrit and aide all perform something similar to what you
> described.
>
>   
> > -----Original Message-----
> > From: andy baxter [mailto:andy@earthsong.free-online.co.uk] 
> > Sent: Sunday, June 24, 2007 7:23 AM
> > To: debian-security@lists.debian.org
> > Subject: security idea - bootable CD to check your system
> >
> > hello,
> >
> > I am writing to ask what you think of the following idea? 
> > Something that I would like to see is a bootable CDROM which 
> > can check all the packages on a debian system. My idea is 
> > that it would work roughly as follows:
> >
> > - You halt the machine and put in a bootable CD, then reboot.
> > - The machine boots from the CD, which is read-only and known 
> > to be good.
> > - It boots into a minimal linux system which will do nothing but the
> > following:
> > - ask you whether you are booting for the first or second time.
> > - Read a floppy or other removable media to find 
> > configuration information for the machine being checked.
> > - Read the host machine's hard drive to find a list of all 
> > installed packages.
> > - Connect once to the network to retrieve a list of files and 
> > their checksums for each of these packages from a debian 
> > server. This list could be saved either to a designated 
> > partition on the hard drive, or to removable media.
> > - Disconnect from the network.
> > - Reboot itself.
> > - The second time round, don't connect to the network.
> > - instead, check all the binaries (and optionally config 
> > files) against the checksums.
> > - generate some kind of easy to read report on screen, or 
> > else save it to removable media.
> >
> > Do you think this would work (i.e. be a good check on whether 
> > your system has been compromised), and is it worth doing? I'm 
> > not sure if I have the skills to take on something like this 
> > all by myself, but I would be willing to put some time in to 
> > help where I can if anyone else wants to have a go at it.
> >
> > Alternatively, if people don't think it's worth your while 
> > developing something like this, where should I start looking 
> > to try to put it together myself, and is there anyone at 
> > debian who might be able to help me?
> >
> > yours,
> >
> > andy baxter.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact 
> > listmaster@lists.debian.org
> >
> >