[Hampshire] File Integrity Check

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMM 
.MAdrian Bridgett at ->

Reply to this message
Author: Russell Gadd
Date:  
To: Hampshire
CC: 
Subject: [Hampshire] File Integrity Check
I would like to set up a file integrity check as a security measure on a
standalone (home) PC (I know this is closing the stable door after the horse
has bolted). One problem with such measures is to avoid running it within a
compromised system as any malware could interfere with the operation of the
checking program or the signature database. I have an idea which is outlined
below which may contain some fundamental flaws so I would welcome any
comments.

I would use a second system multibooted on the same PC. My boot manager can
set up a partition for the target system to be checked (I'll call it "Main")
and a separate partition for the checking system ("Checker"). On booting the
boot manager rewrites the Master Boot Record partition table so that Main
only sees it own partition. But when Checker is booted it sees both with
Main's partition mounted read-only under a subdirectory of its own root.
Checker will create and check MD5 signatures for an appropriate subset of
Main's file structure, probably using AIDE or possibly Tripwire.

Absolute paranoia would suggest that malware on Main's partition could look
at the "free space" on the rest of the hard drive and work out where
Checker's partition is located and get to the database or programs on
Checker - this is such a remote possibility that I'm not going to consider
it.

In practice Main's partition will be an extended partition with several
logical Ext3 partitions. I'm using Debian.

I know nothing of the internal details of the management of Ext3 file
structures - will this cause problems in Checker? I presume as Main's
partition will be mounted read-only it won't affect Main, but maybe
read-only status doesn't necessarily mean that a kernel can't alter the
directory structures on this partition?

Have I a problem with users and groups? Do I need to make sure that the
users and groups of Checker are a superset of Main's?

This does seem to have parallels with using a live CD such as Knoppix to
manipulate partitions on a system located on a hard drive, but I've no
experience of using this.

I don't want to proceed with it if there are basic reasons why this is a
dumb idea, so any feedback would be much appreciated.

Russell
This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] DNS lookup and VPNs[Hampshire] maximum memory use for a process->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)