Re: How do I keep tripwire db in sync with apt-get updates?
Hi, Boyd:
On Tuesday 09 November 2010 03:39:58 Boyd Stephen Smith Jr. wrote:
> In <[🔎] AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh
> Narins
>
> wrote:
> >Installing packages, updating packages, removing packages.
> >
> >These basic operations result in lots of tripwire noise. Was the
> >change to /usr/sbin/zic part of a legitimate update, or a
> >super-secret-stealth attack?
[...]
> In theory, it could be possible for dpkg/apt to update the tripwire
> database automatically. I recommend against it, since then subverting
> dpkg/apt allows an attacker to subvert tripwire. Because of different
> focuses, I think the tripwire code is much harder to subvert than the
> dpkg/apt code.
Well, dpkg/apt should trigger a tripwire hash recomputation and it should be
tripwire the one to look after the proper debsum and being instructed to
accept it prior to update the database (or not), not the other way around. I
think that should restrict the attack profile. After all, tripwire wouldn't
do nothing you wouldn't do by hand anyway.
Cheers.
Reply to: