Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 06:14:23PM +0200, Javier Fernández-Sanguino Peña wrote: > On Thu, Sep 26, 2002 at 08:45:56AM -0400, Matt Zimmerman wrote: > > > > Sounds nice. I tried tiger for a short time, but received far too many > > notifications about things which were not wrong, for Debian or for many > > other systems. > > > Yes, it needs some improvement yet. Did you try the "notify me > only of new stuff" functionality though? I did, and that helped some. I also found the process of excluding certain checks and such to be inconvenient. I will continue to look at it from time to time, but I would not like to install it on a large number of servers at this point. -- - mdz
Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 08:45:56AM -0400, Matt Zimmerman wrote: > > Sounds nice. I tried tiger for a short time, but received far too many > notifications about things which were not wrong, for Debian or for many > other systems. > Yes, it needs some improvement yet. Did you try the "notify me only of new stuff" functionality though? Javi
Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 06:14:23PM +0200, Javier Fernández-Sanguino Peña wrote: > On Thu, Sep 26, 2002 at 08:45:56AM -0400, Matt Zimmerman wrote: > > > > Sounds nice. I tried tiger for a short time, but received far too many > > notifications about things which were not wrong, for Debian or for many > > other systems. > > > Yes, it needs some improvement yet. Did you try the "notify me > only of new stuff" functionality though? I did, and that helped some. I also found the process of excluding certain checks and such to be inconvenient. I will continue to look at it from time to time, but I would not like to install it on a large number of servers at this point. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 08:45:56AM -0400, Matt Zimmerman wrote: > > Sounds nice. I tried tiger for a short time, but received far too many > notifications about things which were not wrong, for Debian or for many > other systems. > Yes, it needs some improvement yet. Did you try the "notify me only of new stuff" functionality though? Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 09:54:28AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > On Wed, Sep 25, 2002 at 03:59:05PM -0400, Matt Zimmerman wrote: > > > > The same applies for any intrusion detection tool, including the ones you > > mention below. > (...) > Not quite exact. You took this sentence out of context. The preceding paragraph was: > > If you want to use debsums as an intrusion detection tool (that is not > > its sole purpose), then you must save a trusted copy of the dpkg > > database (/var/lib/dpkg) and run a trusted copy of debsums against that > > within a trusted execution environment. And that absolutely _does_ (yes, quite exact) apply to all such tools. Whether they are looking for previously calculated checksums, or for rootkit signatures, if their database is not trusted, then it could have been completely disabled by an attacker at any point in the past without your knowledge. > Integrit yes. Tiger yes/no. As a matter of fact tiger has: > > 1.- a module to check against known vulnerable cheksums (not updated for > Debian) > 2.- a module that uses tripwire > 3.- a module that uses debsums > > User can run whichever he likes best. Just FYI. Sounds nice. I tried tiger for a short time, but received far too many notifications about things which were not wrong, for Debian or for many other systems. -- - mdz
Re: How reliable is "debsums"?
On Thu, Sep 26, 2002 at 09:54:28AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > On Wed, Sep 25, 2002 at 03:59:05PM -0400, Matt Zimmerman wrote: > > > > The same applies for any intrusion detection tool, including the ones you > > mention below. > (...) > Not quite exact. You took this sentence out of context. The preceding paragraph was: > > If you want to use debsums as an intrusion detection tool (that is not > > its sole purpose), then you must save a trusted copy of the dpkg > > database (/var/lib/dpkg) and run a trusted copy of debsums against that > > within a trusted execution environment. And that absolutely _does_ (yes, quite exact) apply to all such tools. Whether they are looking for previously calculated checksums, or for rootkit signatures, if their database is not trusted, then it could have been completely disabled by an attacker at any point in the past without your knowledge. > Integrit yes. Tiger yes/no. As a matter of fact tiger has: > > 1.- a module to check against known vulnerable cheksums (not updated for > Debian) > 2.- a module that uses tripwire > 3.- a module that uses debsums > > User can run whichever he likes best. Just FYI. Sounds nice. I tried tiger for a short time, but received far too many notifications about things which were not wrong, for Debian or for many other systems. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
On Wed, Sep 25, 2002 at 03:59:05PM -0400, Matt Zimmerman wrote: > > The same applies for any intrusion detection tool, including the ones you > mention below. (...) Not quite exact. > debsums attempts to detect files which are different from the versions which > were originally installed from .deb archives. Stuff like tiger and integrit > attempt to detect files which are different from the versions which were > installed at some point in the past. > Integrit yes. Tiger yes/no. As a matter of fact tiger has: 1.- a module to check against known vulnerable cheksums (not updated for Debian) 2.- a module that uses tripwire 3.- a module that uses debsums User can run whichever he likes best. Just FYI. Regards Javi
Re: How reliable is "debsums"?
On Wed, Sep 25, 2002 at 03:59:05PM -0400, Matt Zimmerman wrote: > > The same applies for any intrusion detection tool, including the ones you > mention below. (...) Not quite exact. > debsums attempts to detect files which are different from the versions which > were originally installed from .deb archives. Stuff like tiger and integrit > attempt to detect files which are different from the versions which were > installed at some point in the past. > Integrit yes. Tiger yes/no. As a matter of fact tiger has: 1.- a module to check against known vulnerable cheksums (not updated for Debian) 2.- a module that uses tripwire 3.- a module that uses debsums User can run whichever he likes best. Just FYI. Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
On Wed, Sep 25, 2002 at 11:09:14AM +0200, Kristian wrote: > I suppose that if someone managed to get into a machine, he could simply > regenerate the md5 checksums after modifying "ls, ps, top and friends". If you want to use debsums as an intrusion detection tool (that is not its sole purpose), then you must save a trusted copy of the dpkg database (/var/lib/dpkg) and run a trusted copy of debsums against that within a trusted execution environment. The same applies for any intrusion detection tool, including the ones you mention below. > Just another question: could anyone suggest a way to automate checks with > debsums? And why shoul I use debsums instead of simply running stuff like > tiger or integrit? I don't get it. debsums attempts to detect files which are different from the versions which were originally installed from .deb archives. Stuff like tiger and integrit attempt to detect files which are different from the versions which were installed at some point in the past. -- - mdz
Re: How reliable is "debsums"?
On Wed, Sep 25, 2002 at 11:09:14AM +0200, Kristian wrote: > I suppose that if someone managed to get into a machine, he could simply > regenerate the md5 checksums after modifying "ls, ps, top and friends". If you want to use debsums as an intrusion detection tool (that is not its sole purpose), then you must save a trusted copy of the dpkg database (/var/lib/dpkg) and run a trusted copy of debsums against that within a trusted execution environment. The same applies for any intrusion detection tool, including the ones you mention below. > Just another question: could anyone suggest a way to automate checks with > debsums? And why shoul I use debsums instead of simply running stuff like > tiger or integrit? I don't get it. debsums attempts to detect files which are different from the versions which were originally installed from .deb archives. Stuff like tiger and integrit attempt to detect files which are different from the versions which were installed at some point in the past. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
Justin Ryan wrote: > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you already have a .deb file to compare, you don't need debsums, just use this command: [EMAIL PROTECTED]:~/bin>cat verifydeb #!/bin/sh dpkg --fsys-tarfile $1 | tar -C / -d -- see shy jo pgpQ3FSTXPClz.pgp Description: PGP signature
Re: How reliable is "debsums"?
Justin Ryan wrote: > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you already have a .deb file to compare, you don't need debsums, just use this command: joey@dragon:~/bin>cat verifydeb #!/bin/sh dpkg --fsys-tarfile $1 | tar -C / -d -- see shy jo msg07064/pgp0.pgp Description: PGP signature
Re: How reliable is "debsums"?
Hi, Justin Ryan wrote: > > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you fear that > something may have been modified, you can download the .deb file and > bypass anything that an attacker could modify. Of course, the debsums > binary could be modified to never report that anything has changed, but > every little bit helps.. well, just download a modified .deb file and see if the programm says there has changed something. in addition i have a tripwire-db, so whenever i want to be really sure, i can boot from cd-rom and compare the harddisk with my tripwire-db, which is not on the harddisc. Regards, Ralf Dreibrodt
Re: How reliable is "debsums"?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Ryan wrote: > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you fear that > something may have been modified, you can download the .deb file and > bypass anything that an attacker could modify. Of course, the debsums > binary could be modified to never report that anything has changed, but > every little bit helps.. This isn't really reliable, because many important packages lack md5sums. AFAIR it is optional to generate the md5sums in packages. - - Alexander - -- "fighting for peace is like fucking for virginity" -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9kYSxFBE43aPkXWYRAn+sAJ93CgkgTYxI/nLRAWfXLQvDt+dxywCfVEWb 04jukmfaQ7bey0kHGEnM3y4= =y/CA -END PGP SIGNATURE-
Re: How reliable is "debsums"?
On Wed, 2002-09-25 at 04:09, Kristian wrote: > I suppose that if someone managed to get into a machine, he could simply > regenerate the md5 checksums after modifying "ls, ps, top and friends". Quite Possibly. It is not a bulletproof solution, but can be useful.. > Just another question: could anyone suggest a way to automate checks > with debsums? And why shoul I use debsums instead of simply running > stuff like tiger or integrit? I don't get it. Use both! One advantage of debsums is that you can compare md5sums against a package, rather than just the system db. If you fear that something may have been modified, you can download the .deb file and bypass anything that an attacker could modify. Of course, the debsums binary could be modified to never report that anything has changed, but every little bit helps.. -Justin
Re: How reliable is "debsums"?
Hi, Justin Ryan wrote: > > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you fear that > something may have been modified, you can download the .deb file and > bypass anything that an attacker could modify. Of course, the debsums > binary could be modified to never report that anything has changed, but > every little bit helps.. well, just download a modified .deb file and see if the programm says there has changed something. in addition i have a tripwire-db, so whenever i want to be really sure, i can boot from cd-rom and compare the harddisk with my tripwire-db, which is not on the harddisc. Regards, Ralf Dreibrodt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Ryan wrote: > Use both! One advantage of debsums is that you can compare md5sums > against a package, rather than just the system db. If you fear that > something may have been modified, you can download the .deb file and > bypass anything that an attacker could modify. Of course, the debsums > binary could be modified to never report that anything has changed, but > every little bit helps.. This isn't really reliable, because many important packages lack md5sums. AFAIR it is optional to generate the md5sums in packages. - - Alexander - -- "fighting for peace is like fucking for virginity" -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9kYSxFBE43aPkXWYRAn+sAJ93CgkgTYxI/nLRAWfXLQvDt+dxywCfVEWb 04jukmfaQ7bey0kHGEnM3y4= =y/CA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How reliable is "debsums"?
On Wed, 2002-09-25 at 04:09, Kristian wrote: > I suppose that if someone managed to get into a machine, he could simply > regenerate the md5 checksums after modifying "ls, ps, top and friends". Quite Possibly. It is not a bulletproof solution, but can be useful.. > Just another question: could anyone suggest a way to automate checks > with debsums? And why shoul I use debsums instead of simply running > stuff like tiger or integrit? I don't get it. Use both! One advantage of debsums is that you can compare md5sums against a package, rather than just the system db. If you fear that something may have been modified, you can download the .deb file and bypass anything that an attacker could modify. Of course, the debsums binary could be modified to never report that anything has changed, but every little bit helps.. -Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]