On Wed, 13 Feb 2002, Seth Arnold wrote:
> If this is for one of your own machines, wouldn't it be far simpler to
> replace rpm's --verify handler with a function that always returns
> "this package looks fine" ?
no, it wouldn't. i used to think this, too. however, even on your unhaked
redhat boxes that you use a few MD5 sums come up missing, cuz they're
volitile or config files. ie sendmail.cf. an attacker would notice that
NOTHING gets noticed and hence would become suspicious.
<laughs> ok, smart attackers, you know, that rumored kind. </seen too many
script kiddies>
i whipped up a small tool to do this, modify an RPM database. just peruse
the RPM API and make a small app to do it. pretty simple to do, really.
alternatively, use a LRK4 style config file to tell rpm what files to
ignore for various items (ie MD5 sums).
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
