Re: [Hampshire] File Integrity Check

On 07/02/2008, Russell Gadd <russ.mail.lists@???> wrote:
> I would like to set up a file integrity check as a security measure on a
> standalone (home) PC (I know this is closing the stable door after the horse
> has bolted). One problem with such measures is to avoid running it within a
> compromised system as any malware could interfere with the operation of the
> checking program or the signature database. I have an idea which is outlined
> below which may contain some fundamental flaws so I would welcome any
> comments.
>

Depending on what distro you have, I will use the example of debian.
You know which .deb packages you have installed. The .deb packages
have their own md5/sha checksums on the debian side, so you will know
that the .deb packages are correct.
You then use a known good system to extract each of the .deb files,
and create a file list of each file, it's version and the md5/sha
checksums.
If you don't know which versions you might have, you can do the file
list on multiple versions of the same package.
Once you have your checksum list, you can then use it to test the
suspect system.
I would create a live CD with the checksum list and script to check
every file on your destination system matches the checksums.
Alternatively, run the suspect system as a virtual machine, and use
the host system to scan the guest.
>From this you might get a list of suspect files on the suspect system,
and you can then start analyzing them to see what sort of exploit
occured.
One last thing that the checksum list will not cover, and that is the
partition table and boot sectors. Fortunately, those are unlikely to
change much, but a different check program is required to check those
because it will work at the sector level, and not the file system
level.

James