[vox-tech] Verify Ubuntu files

Rick Moen rick at linuxmafia.com
Wed Aug 13 02:03:40 PDT 2008 

Quoting Bill Broadley (bill at cse.ucdavis.edu):

> Assuming you took reasonable precautions, maintained physical security
> and had zero or just ssh port open you should be fine.  

I'll bet buggy Web apps are common vectors.  ;->


[kernel-based rootkit implementations prevail]

> So local tripwire, local package database, or even a remote 
> network mount is basically useless.

Doing any IDS check from known-good boot media is obviously far better
(where one can afford the downtime), and the only way any integrity
check of the boot chain can possibly hope to be reliable.

> Booting known good media is much better, although even then it's
> pretty trivial to subvert.

Oh, do tell.

> Of course it's relatively trivial to hack a machine, not change a single 
> binary, and open up a back door.

I assume you mean that _if_ you have cracked a machine, it's easy to
avoid changing the binaries, and yet open a back door.  However, you
must make a critical change to system configuration to make that
persist, which change then is part of the forensic trail.

> One nice thing about CDR is that it auto updates, every patch happens
> securely, much better than running tripwire locally where step #3 for
> hackign a system is to find tripwire and include your backdoors when
> it's run so that the next time the admin runs a patch and approves 500
> file update that the backdoor will be included.

That would be a rather careless sysadmin who doesn't detect the fact
that the TW policy file has been altered.  All of the thing's files, you
may recall, are crypto-signed, right down to the reports -- and that
would be pretty pointless if you didn't always (at minimum) use its
siggen utility from read-only media to check them.  Even at that, it's 
theoretically possible that a subverted runtime system (not rebooted to
known-good media) could jigger the siggen checks to make it lie and
report the expected hash values, but I'll believe that when I see it.

(FWIW, I don't like Tripwire:  Too slow, far too much hassle to admin,
too crufty; but I'm glad to give credit for what they did thoughtfully.)

More information about the vox-tech mailing list