On 09/ 9/10 02:17 PM, [email protected] wrote:
On Thu, Sep 09, 2010 at 02:12:05PM -0700, Shawn Walker wrote:
On 09/ 9/10 02:02 PM, [email protected] wrote:
...
IMO, the case for verifying compromised systems duplicates functionality
already implemented in bart(1) and tripwire, but I'm willing to listen
to reasonable arguments to the contrary.
The problem with relying on bart(1) and tripwire is that pkg(5)
drives system updates using elfhash as opposed to the standard file
digest mechanism that other utilities use.
That makes it difficult to use tools other than pkg(1) to verify the system.
Understood, but in order for this to work correctly, we'd have to save
an entire snapshot of the pkg metadata after every image modifying
operation. At that point, you may as well just re-generate the bart(1)
or tripwire databases based upon the state of the image after the
update.
We've talked about adding functionality in the past to recover from a
corrupted or destroyed /var/pkg directory. Such functionality would
analyse the system and based on the source repositories the user
provided, would rebuild the set of installed packages based upon
matching fingerprints.
However, that's still an educated guess at best since if the system has
been compromised, it's unlikely that the installed files will match the
digests from the various package manifests.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
