Andy, Sounds like you're looking for debsums[1]? A CD/DVD is possible but doesn't allow fingerprint updates. I know that certain Sony MemoryStick are equipped with an rw/ro switch. So a cardreader or usb thumbdrive makes it posible to only use 1 medium instead of two and it still has the read-only security.
[1] http://packages.debian.org/stable/admin/debsums Cheers, Daniel van Eeden On Sun, 2007-06-24 at 15:23 +0100, andy baxter wrote: > hello, > > I am writing to ask what you think of the following idea? Something that > I would like to see is a bootable CDROM which can check all the packages > on a debian system. My idea is that it would work roughly as follows: > > - You halt the machine and put in a bootable CD, then reboot. > - The machine boots from the CD, which is read-only and known to be good. > - It boots into a minimal linux system which will do nothing but the > following: > - ask you whether you are booting for the first or second time. > - Read a floppy or other removable media to find configuration > information for the machine being checked. > - Read the host machine's hard drive to find a list of all installed > packages. > - Connect once to the network to retrieve a list of files and their > checksums for each of these packages from a debian server. This list > could be saved either to a designated partition on the hard drive, or to > removable media. > - Disconnect from the network. > - Reboot itself. > - The second time round, don't connect to the network. > - instead, check all the binaries (and optionally config files) against > the checksums. > - generate some kind of easy to read report on screen, or else save it > to removable media. > > Do you think this would work (i.e. be a good check on whether your > system has been compromised), and is it worth doing? I'm not sure if I > have the skills to take on something like this all by myself, but I > would be willing to put some time in to help where I can if anyone else > wants to have a go at it. > > Alternatively, if people don't think it's worth your while developing > something like this, where should I start looking to try to put it > together myself, and is there anyone at debian who might be able to help > me? > > yours, > > andy baxter. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
