Hi... I've been wishing for a nice, largely automated, untamperable Debian auditing tool. Whenever I get paranoid about a box, I'd like some kind of check that didn't require vast amounts of forethought and effort.
Basically, I started reading the tripwire documentation, stopped, and
thought "Debian ought to make this *much* simpler". It seemed that if I
wanted to use tripwire, I'd need to tell it every time I was installing
a new package. I'd then need to update a record on read-only media...
Debsums seems to help a little bit - you can expect to catch some less-clueful
intruders with it, but it doesn't help in general.
What I'd really like is this:
A CDROM or boot floppy with a clean kernel, which downloads a set of clean
md5sums from a trusted server, and checks those. It could then produce a list
of modified configuration files, which one would need to check by hand.
Extra snazzy features, which might or might not be worth the effort, would
include:
* Kernel "trojan scans" for all known nasty kernel code.
* Debian security servers - these could keep a record of which config file
changes you've okayed. They might also allow you to checksum customised
kernels to make sure they haven't changed. Keeping these servers
hyper-secure
is, of course, an issue. The CD might have keys for known "public
service"
secutity servers, or sites could run their own and burn the CDs to
recognise
them. This facility might also be nifty for backups...
* Heuristic analysis scripts to look for funny things in users' home
directories, such as SETUID stuff and questionable aliases in .bashrc, for
example (although this can never be perfect).
Does a tool like this exist already? If not, what do people think of the idea?
--
|> |= -+- |= |>
| |- | |- |\
Peter Eckersley
([EMAIL PROTECTED])
http://www.cs.mu.oz.au/~pde
for techno-leftie inspiration, take a look at
http://www.computerbank.org.au/
pgpTV673eEPbt.pgp
Description: PGP signature
