Re: Detecting a compromised system

To: debian-user@lists.debian.org
Subject: Re: Detecting a compromised system
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Sun, 15 Feb 2009 19:06:55 -0500
Message-id: <[🔎] 87wsbrfdnk.fsf@nokile.rath.org>
Mail-followup-to: debian-user@lists.debian.org
References: <[🔎] 87bpt3r03u.fsf@nokile.rath.org> <[🔎] 200902151728.52601.bss@iguanasuicide.net>

"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> On Sunday 15 February 2009 13:06:29 Nikolaus Rath wrote:
>> I expected that it would be pretty easy to spot these modifications.
>> So I did exactly the above and then tried to "detect" my changes.
>>
>> I first looked for any additional packages that might help me with
>> this and installed (and configured to the best of my knowledge)
>> checksecurity and tiger.
>
> Most security audit tools actually depend on being able to inventory
> the system before an attack. Installing them after you are 'sploited
> doesn't help.
>
> Try installing them, then making a change that's not detectable.

Generally, you're right. But why do I need to make an explicit
snapshot of the system if all debian packages already contain the
necessary information? Is there no tool available that makes use of
it? This would also eliminate the need to make a new system snapshot
after each security upgrade. 

Best,


   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

Reply to:

Follow-Ups:
- Re: Detecting a compromised system
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>

References:
- Detecting a compromised system
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Detecting a compromised system
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>

Prev by Date: Re: Lenny?
Next by Date: Re: backports keyring
Previous by thread: Re: Detecting a compromised system
Next by thread: Re: Detecting a compromised system
Index(es):
- Date
- Thread