Re: Missing debsums and mismatches

2005-06-24 Thread Paul Gear 
Fredrik Demonen Vold wrote:
 ...
 I've just installed debsums and ran it to see if there were any oddness.
 
 Output of a silent run follows below the message.
 
 My question is:
 Should I be alarmed about so many packages not having md5sums?

Should you be alarmed?  Yes.  Is it unusual?  No.  In my experience of
running sarge, there are a lot of packages like this.

There is a mitigation against this: install debsums early!  It includes
this in /etc/apt/apt.conf.d/90debsums:
DPkg::Post-Invoke { if [ -x /usr/bin/debsums ]; then /usr/bin/debsums
--generate=nocheck -sp /var/cache/apt/archives; fi; };

This means that any packages you install subsequently will have their
debsums generated for them if they are missing.

 ...
 I'm sure all this is just paranoia, but maybe there should be a list
 of stuff that has no md5sum?

That would be an improvement from my perspective (i'm just a user of
Debian, not a developer).

 Maybe there is one, and I'm just ignorant to that fact?

Possibly - if you find out about one, please let me know!  :-)

 ...
 Could somebody please explain to me a situation where an MD5sum change
 is OK when I'm sure I haven't touched the file in question?

I haven't seen that happen on my systems (that i know of).

 ...
 And finally:  Shouldn't packages like 'make' and 'sed' have checksums 
 generated?

Yes.  ;-)

 
 chkrootkit has nothing to report in quiet mode, but it has external
 dependancies (sed is one of them), so I'm not really trusting it right
 now.
 Ofcourse, it does find some dotdirs, and it seems chkrootkit is even
 more paranoid about dotdirs than I am ;-)

I found that as well, so i decided to run chkrootkit through a tool that
does a diff every night in cron.  I do this with a script i created
called tracker.  You can get it by putting
deb http://apt.gear.dyndns.org/ binary/
in your /etc/apt/sources.list and running 'apt-get install tracker'.

I'd be interested in feedback on tracker if you try it.  Many of the
configuration files it uses are targeted at getting useful security
information without being overwhelmed.

-- 
Paul
http://paulgear.webhop.net
--
Did you know?  Microsoft Internet Explorer and Outlook have a poor track
record for security http://www.kb.cert.org/vuls/id/713878.  Why not
try one of the more secure alternatives from http://mozilla.org?


signature.asc
Description: OpenPGP digital signature

Re: Missing debsums and mismatches

2005-06-24 Thread Arthur de Jong 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


You could also do something like this to generate md5sums for packages 
that don't have them yet:

  cd /var/cache/apt/archives
  apt-get --download-only --reinstall install `debsums -l`
  debsums --generate=keep,nocheck *.deb
(redownload all deb packages that do not have md5sums and generate them)

- -- 
- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCu+eDVYan35+NCKcRAlp5AKC99GtjEIrLZavdmSTtquLQ1b6ybQCgpcJd
6FOPo4zzd62YkJnfJZ7ZM5I=
=A9oi
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Missing debsums and mismatches

2005-06-24 Thread Peer Janssen 



...
And finally:  Shouldn't packages like 'make' and 'sed' have checksums generated?
   


Yes.  ;-)
 

This could be included in the famaus automatic build and/or packaging 
system, coundn't it?


And/or there could be an automatic email warning to a developer 
uploading a package without the appropriate md5sum (or a false one).


Or so.

Peer


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Missing debsums and mismatches

2005-06-24 Thread Fredrik \Demonen\ Vold 
 And finally:  Shouldn't packages like 'make' and 'sed' have checksums 
 generated?
 Yes.  ;-)

Are they supposed to have sums?

Also, I should probably mention that this is a Sid system and it's so
far from prodcution I don't even have to spell it correctly.  I just
don't want it to become a spamsource.

I've investegated the changed stuff, and they can now all be put on
the phew, nothing to worry about list.  Another guy with legitimate
root access to the same box has been poking around without noting it
in our I did this log.
It'll be quick.  I've heard you never feel the shot when it's in the
back of the neck.  ;-)

The reinstall of the unsummed packages will commence once some more
stuff on actual production boxen is taken care of.

Don't be alarmed, I'm not The Primary Root on any production box, just
learning, testing, prodding and breaking. ;-)

Thank you for all your responses.

Oh, and Paul, thanks for the offer, but a homebrew daemon is allready
in the works.
I need network monitoring ability of this behaviour aswell.

-- 
Fredrik Demonen Vold
/*
- Do not meddle in the affairs of dragons, for you are crunchy and
good with ketchup.
*/