--- George Mitchell <george@xxxxxxxxxxx> wrote:
> Alex,
>
> Unfortunately, it is not so simple. The fact is the
> md5sums on a given
> binary are always in flux as the binary is updated.
> They differ between
> distros and they change within a given distro
> whenever a critical
> security update is issued for that binary. The only
> solution would be
> for chkrootkit to be customized for the distro in
> question and updated
> continuously. I can tell you that, at least, for
> Mandrake Linux that
> simply is not happening. Mandrake places chkrootkit
> in contribs and
> updates it only occasionally. If you ask Mandrake,
> they will likely
> recommend that you protect yourself with something
> like tripwire, not
> chkrootkit. Don't get me wrong, I have great
> respect for chkrootkit and
> consider it a useful tool. But I would caution you
> that it is very
> unlikely that it does md5's on anything. If it did,
> it would also have
> to contain its own integrated md5sum binary, since
> rootkits often
> compromise md5sum along with everything else. Thus
> the issues are
> complex. Once a system is compromised, getting it
> back, while possible,
> is extremely delicate, and that includes detecting
> the compromise as
> well. Don't sell these crackers short, they are
> very good at what they
> do. There is no way that the fix can be as simple
> as chkrootkit. I
> always have it installed, and I use it, I just don't
> depend on it.
>
> George
>
Right, that's why I said you'd need to be able to put
the file with the checksums on some type of removable
media. Since we're talking about building a bootable
mini-distro that will run these checks I don't think
it's unreasonable to suppose that this mini-distro
will have its own md5sum binary (or any other
binaries/libs that would be used for some other
hashing algorithm or the like) in order for the CD to
check on the integrity of your system.
To generate the file containing the hashes you could
use a quick shell script to get a list of files
installed by a given package or packages and step
through these files storing the hash for each.
Specifically for Mandrake I believe something on the
order of "for a in `rpm -ql some important packages`;
do md5sum $a >> known-good.list; done" should suffice.
I think the proper upgrade procedure in this case
would be to boot the integrity-check CD, validate your
current install, re-mount the volumes read-write,
chroot into the install, upgrade any packages,
re-generate the known good list, save it to your
removable media, and reboot the system.
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
|