In <AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh Narins wrote: >Installing packages, updating packages, removing packages. > >These basic operations result in lots of tripwire noise. Was the >change to /usr/sbin/zic part of a legitimate update, or a >super-secret-stealth attack? > >At this point I wish I could md5sum every binary and library file >managed by the OS and compare that to some authoritative source. You may be interested in debsums, then. You could possibly use it to determine if a file (but, not a conffile) updated by a package upgrade / installation is the one shipped from Debian or an attacker taking advantage of the window between package upgrade and tripwire scan. In theory, it could be possible for dpkg/apt to update the tripwire database automatically. I recommend against it, since then subverting dpkg/apt allows an attacker to subvert tripwire. Because of different focuses, I think the tripwire code is much harder to subvert than the dpkg/apt code. -- Boyd Stephen Smith Jr. ,= ,-_-. =. firstname.lastname@example.org ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Description: This is a digitally signed message part.