Re: security idea - bootable CD to check your system
* andy baxter <andy@earthsong.free-online.co.uk> [070624 18:19]:
> I've tried using debsums - however it's not really a good check on your
> system because the program and the data it's using both come from the
> system you are trying to check, so could be compromised. Also, it seems
> to miss out many important packages - e.g. here's the standard error
> output from a recent run of debsums on my server:
I had someone in the past considered this, too. First of all debsums's
main advantage is looking for unintended changes (and its indeed a shame
so many of the important packages come without, that makes bad RAM or
unreliable controlers a much larger hassle than they needed to be).
To make anything security relevant out of them, the CD would need to
have checksums of the contents of those files (for the different
versions of the packages) and the missing md5sum files on it.
But even that would only make sure none of the official files are
changed, while it is more easy to cause harm by simply adding stuff.
(Even changing can happen by just uninstalling and puting the stuff
manually in there).
So the whole thing would have to be combined with something like a
security focused checker (perhaps similar to cruft).
That together with some code to automatically detect the system and
use the right partitions at the right place would surely be a nice tool,
but if would for sure be an enourmous amount of work before anything
halfly usefull comes out of it.
So good luck and let me know when it is finished. (Because I doubt
anyone else will find the time to do it).
Hochachtungsvoll,
Bernhard R. Link
Reply to: