Re: [Hampshire] File Integrity Check

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Dr Adam J Trickett at <-
MMjohn at ->

Reply to this message
Author: Russell Gadd
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] File Integrity Check
Jon Fautley wrote:

<snip>
> Any half-competent malware/rootkit author should be checking for the
> existance of chkrootkit and friends, and "patching" them as required...

<snip>
> .... My normal "routine check" method is to pull down the
> chkrootkit tarball from the website, check the sig, unpack, and run
> from there - and delete it when I'm done. That way I can be "fairly
> sure" that it's not been tampered with.
>
This statement seems at odds with the one above. I think we are all agreed that if malware has got into your box you can't be sure of anything. The problem is that there are traps all along the way. Even if you are downloading files from a known repository your DNS might be poisoned so it goes to a rogue website. It is a question of how paranoid you want to be. Personally I wouldn't trust a "suspect" system to run a check on itself. This is why I am proposing to run a separate system to check the target system. The target system signatures would be set up when the system is built and not yet used.

I would probably not worry about compromised deb files if I was careful to use official sources or trustworthy mirrors. One question here is that does the dpkg system do the MD5 check automatically or do I need to do this?

A live CD would be one method, perhaps with the signature database held on a floppy or USB stick since this would need updating regularly.

However, the reason I started the thread is that I'm ignorant of some basic facts about whether I can mount the target partition read-only without the checking system trying to alter something on this partition. I know this must be true if the target partition would be on a CDR as it's not physically writable; however the kernel of my checking system knows it is a CD9660 format so it knows it can't write to it. However if the target partition is an Ext3 partition will the kernel leave it completely alone? Will it object to having files owned by a user it doesn't recognise? Are there any other potential gotchas? I was hoping to get some comfort that these concerns are groundless. I suspect they are otherwise the live CD method would presumably also suffer the same problems - unless of course part of the art of writing utilities like Tripwire is to counter such problems.

Russell




This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] File Integrity CheckRe: [Hampshire] Web Content Management systems->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)