[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Integrity check against package repository?


When there are security updates, I review and install them as soon as
possible and think about using automatic updates.

>From time to time I want to boot from a clean boot CD and check if the
system has been compromised.

For that reason, I want to check if any packages / binaries have been
modified, check the bootloader, check for rootkits.

Let's suppose I booted from a clean boot CD and mounted the hdd filesystem.

How can I get list of all sha256 hash sums of all installed binaries and
configuration files and check them against the versions from Debian

I have looked into intrusion detection systems (debsums,) Afick, AIDE,
FCheck, Integrit, Osiris, OSSEC, Samhain, Tripwire, but they all have in
common, that they want to create a known-good database before auditing.
This doesn't scale very well, because updates are pretty frequent, which
render that known-good database less useful. Re-creating the known-good
database after updating isn't very safe either - let's say apt-get had a
bug and installed a malicious package, then the checksum of that
malicious package would end up in the known-good database.

I think the real solution is checking against the distribution's package
repository. How can I do that?


Reply to: