[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I keep tripwire db in sync with apt-get updates?



In <AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh Narins 
wrote:
>Installing packages, updating packages, removing packages.
>
>These basic operations result in lots of tripwire noise. Was the
>change to /usr/sbin/zic part of a legitimate update, or a
>super-secret-stealth attack?
>
>At this point I wish I could md5sum every binary and library file
>managed by the OS and compare that to some authoritative source.

You may be interested in debsums, then.  You could possibly use it to 
determine if a file (but, not a conffile) updated by a package upgrade / 
installation is the one shipped from Debian or an attacker taking advantage of 
the window between package upgrade and tripwire scan.

In theory, it could be possible for dpkg/apt to update the tripwire database 
automatically.  I recommend against it, since then subverting dpkg/apt allows 
an attacker to subvert tripwire.  Because of different focuses, I think the 
tripwire code is much harder to subvert than the dpkg/apt code.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: