On Wed, Feb 6, 2008 at 17:16:05 +0000 (+0000), Russell Gadd wrote:
> I would like to set up a file integrity check as a security measure on a
> standalone (home) PC (I know this is closing the stable door after the horse
> has bolted). One problem with such measures is to avoid running it within a
> compromised system as any malware could interfere with the operation of the
> checking program or the signature database. I have an idea which is outlined
> below which may contain some fundamental flaws so I would welcome any
> comments.
Osiris uses a different technique - it asks the client for the details
of what it has, then compares these back on the central server. It
amazes me how many HIDS systems effectively store the data either on
the client or trust the client in some other way.
This obviously isn't completely foolproof, but it does raise the bar -
if the cracker has replaced /bin/bash for example, how do they know
the md5sum of the original (or the modification time)? It's possible,
but most attacks don't cover their tracks too well.
Personally I also run chkrootkit as well.
If I'm truely paranoid, then I'd reboot the client off known good
media and run the check against that.
Granted these all require two boxes, rather than just one. You could
run from a live-CD, store the database to USB key, then reboot back
into the normal OS. I have a tendency to think of commercial sized
systems rather than home sized systems :)
Adrian
--
Email: adrian@??? -*- GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution -*-
www.debian.org
