Re: Binary Security & md5sums

["nate" <debian-user@aphroland.org>]

Brad Tilley said:
> We run md5sums on all system binaries on our Debian servers and tar the
> actual  binaries to a file and then burn everything to CD with other data
> about the  server for security reasons. Do any other Debian users do
> this? Is it worth  the effort? Is this too paranoid?
>
> Below are the commands we use to do this:
>
> cd /bin
> md5sum * | mail -s "md5sums on pine from bin" admis@email.edu
> tar cvzpf bin.tar.gz && mv bin.tar.gz /root

depends how much time you have, I prefer to use a more automated solution
such as Tripwire or PureSecure(an integrated IDS which I use). Though to date
I haven't seriously deployed the file integrity checking tools they offer,
it requires a lot of overhead to manage the data. If you only have one
server its not so bad, I have about 30 or so..too much work for me on
top of everything else.

and are you only checking /bin ? I would be checking a lot more files
especially /etc/* and /lib/*, one thing that would be nice is if there
was a debian package that could automate it for you. I ran SuSE 8's backup
tool for the first time not long ago and it had the option of finding
all files that were not part of the packages as well as files that had
changed since the package was installed(by checking the md5sums), it was
really slow(slow laptop), but it seemed to be quite complete. Last I
read though not all debian packages come with a list of md5sum'd files.

I would reccomend an automated solution though over that, so it can
alert you to changes. Of course setting up a secure system is kind
of difficult, PureSecure logs stuff to a mysql database(along with
snort events and service monitoring events), so that has a bit more
security, but its far from perfect.

nate