Integrity check against package repository?

To: debian-security@lists.debian.org
Subject: Integrity check against package repository?
From: adrelanos <adrelanos@riseup.net>
Date: Tue, 30 Apr 2013 01:29:43 +0000
Message-id: <[🔎] 517F1E87.30701@riseup.net>

Hi!

When there are security updates, I review and install them as soon as
possible and think about using automatic updates.

>From time to time I want to boot from a clean boot CD and check if the
system has been compromised.

For that reason, I want to check if any packages / binaries have been
modified, check the bootloader, check for rootkits.

Let's suppose I booted from a clean boot CD and mounted the hdd filesystem.

How can I get list of all sha256 hash sums of all installed binaries and
configuration files and check them against the versions from Debian
repository?

I have looked into intrusion detection systems (debsums,) Afick, AIDE,
FCheck, Integrit, Osiris, OSSEC, Samhain, Tripwire, but they all have in
common, that they want to create a known-good database before auditing.
This doesn't scale very well, because updates are pretty frequent, which
render that known-good database less useful. Re-creating the known-good
database after updating isn't very safe either - let's say apt-get had a
bug and installed a malicious package, then the checksum of that
malicious package would end up in the known-good database.

I think the real solution is checking against the distribution's package
repository. How can I do that?

Cheers,
adrelanos

Reply to:

Follow-Ups:
- Re: Integrity check against package repository?
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>

Prev by Date: Re: [SECURITY] [DSA 2663-1] tinc security update
Next by Date: Re: Integrity check against package repository?
Previous by thread: Re: [SECURITY] [DSA 2663-1] tinc security update
Next by thread: Re: Integrity check against package repository?
Index(es):
- Date
- Thread