Re: security idea - bootable CD to check your system

[andy baxter <andy@earthsong.free-online.co.uk>]

Stephan Wehner wrote:
> > > I have the impression there are projects already, that would do to the
> > > job with some tweaking (tripwire, ..)
> > >
> > Maybe, although I can't see how you get round the problem that you need
> > to update the checksum database every time you install new or updated
> > software.
>
> Ok, I see your problem: you want some other source, not your system,
> to hold the values (checksums) that ensure integrity. But you do not
> mind that it is online (not available when your system is not
> connected to the Internet)
>
> So when you run a security-check, and new software has been added, you
> might as well define a route to a place to hold the
> newly-to-be-calculated checksums (CD-ROM/USB stick, outside server
> where you can post/read, gmail-filesystem, etc).
The idea of doing it this way was that you can run a check at any time 
without having to keep updating the checksum database yourself, because 
it's automatically updated online whenever a new package comes out.
> A worthwhile ambition, where I still feel it'll be as hard to make it
> debian-only as not. Another point is that configuration files play a
> big part in the security of your system and a debian-only package
> checksum will not be able to capture the state of locally changed
> configurations. For example if your fstab says "mount this partitiion
> read-only" then you would like to be notified by your check if that
> has been changed (maliciously).
From what you and other people have said, I'm realising that running a 
secure system isn't as simple as I had thought at first. What I'm 
thinking of doing is putting this idea to the back of my mind for a 
while, and meanwhile concentrating on learning how to secure my network 
better with the existing tools. Hopefully, once I've got some experience 
with this, then I'll be able to see a bit better how far the process can 
be automated.

Thanks to everyone who has replied for your time.

andy baxter.
> > andy
> > > Plus, you might as well bundle the check with a backup-system, since
> > > you are already looking at your system at rest, and no services are
> > > running to worry about.
> > >
> > > Stephan
> > >
> > > On 6/24/07, andy baxter <andy@earthsong.free-online.co.uk> wrote:
> > >> Jim Popovitch wrote:
> > >> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
> > >> >
> > >> >> The difference is that:
> > >> >>
> > >> >> a) These all run on the live system they are trying to protect,
> > >> >>
> > >> >
> > >> > Unless you configure them to only write to an offline mount 
> > point that
> > >> > is normally ro and only rw through external effort.... which is in
> > >> > Tripwire's best practices.
> > >> >
> > >> > -Jim P.
> > >> >
> > >> OK, this would work. The problem for me is that it would involve 
> > turning
> > >> the media r/w and updating the database every time I run apt-get to
> > >> install security updates, which I do once a week. If I was running a
> > >> large server farm and I was looking after it full time, this would be
> > >> OK, but my situation is that I have two machines, both for 
> > personal use,
> > >> and I don't want to have to devote my entire life to looking after 
> > the
> > >> security on them. The machines are a laptop for general use, and a
> > >> server which I use for testing and demonstrating small web-based
> > >> projects I do for people on a voluntary basis. They are connected 
> > to the
> > >> internet by ADSL, with only the server set to accept incoming
> > >> connections.
> > >>
> > >> The other night, I had my laptop switched on and a sound file I had
> > >> never heard before played through the speaker (it said 'hello' in
> > >> someone else's voice). I'm assuming I've been cracked and it was
> > >> someone's idea of a joke. I've halted the server in case that was 
> > their
> > >> way in, and I'm planning to reinstall both my machines this week, but
> > >> also looking for a more long term solution which I could put some 
> > time
> > >> into now and save myself and anyone else who wants to use it a lot of
> > >> trouble in the future.
> > >>
> > >> What I'm looking for is a solution where I can do security updates 
> > every
> > >> week, as my first line of defence, but then have a fallback way of
> > >> detecting intrusions which I could run maybe every month, which 
> > doesn't
> > >> need too much work to keep on top of it once it's been set up. I can
> > >> probably find ways of improving my security using existing tools, 
> > but it
> > >> occurred to me that the system I described would be a pretty 
> > watertight
> > >> check on whether a system has been cracked, which is what I'm looking
> > >> for.
> > >>
> > >> andy baxter.
> > >>
> > >>
> > >> --
> > >> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > >> with a subject of "unsubscribe". Trouble? Contact
> > >> listmaster@lists.debian.org
> > >>
> > >>
> > >
> > >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact 
> > listmaster@lists.debian.org