subject:"security idea \- bootable CD to check your system"

Re: security idea - bootable CD to check your system

2007-06-25 Thread paddy

On Mon, Jun 25, 2007 at 08:23:21AM -0700, Russ Allbery wrote:
> Jim Popovitch <[EMAIL PROTECTED]> writes:
> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
> 
> >> The difference is that:
> 
> >> a) These all run on the live system they are trying to protect, 
> 
> > Unless you configure them to only write to an offline mount point that
> > is normally ro and only rw through external effort which is in
> > Tripwire's best practices.
> 
> That doesn't necessarily help.  It makes the attacker's task much more
> difficult, but it's still possible to binary-patch a running kernel in
> various ways to hide files from everything on the system, including
> tripwire.
> 
> You have to boot into a known-clean kernel in order to get a fully
> trustable integrity check.

I agree 100%, but ...

another way of looking at it is to ask "how hard would this be to break?"

There aren't any real world "known clean" kernels, just ones we can
reasonably expect not to be infected by a specific problem.

just like the compiler thing (reflections on trusting trust), in the
real world this has ultimately underwritten by some obstacle course of
tough/impossible to follow steps, such as cross-arch compiles and
compiles from different compilers, and the expertise and judgment to
use this, along with eyes watching for trojans in the source.

A similar story no doubt applies with kernels.

and then it is all to easy to assume that the underlying hardware is 
not a problem.

but in practice being able to boot from known-clean (eg: read-only
media) is a gold-standard weapon in the armoury, and anything that 
can help join the dots from there to "this installation is clean" 
is invaluable. Having a strong chain of assurance is important.

Regards,
Paddy

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-25 Thread Russ Allbery

Jim Popovitch <[EMAIL PROTECTED]> writes:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:

>> The difference is that:

>> a) These all run on the live system they are trying to protect, 

> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort which is in
> Tripwire's best practices.

That doesn't necessarily help.  It makes the attacker's task much more
difficult, but it's still possible to binary-patch a running kernel in
various ways to hide files from everything on the system, including
tripwire.

You have to boot into a known-clean kernel in order to get a fully
trustable integrity check.

-- 
Russ Allbery ([EMAIL PROTECTED])   

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Arthur de Jong

On Sun, 2007-06-24 at 19:01 +0200, Bernhard R. Link wrote:
> I had someone in the past considered this, too. First of all debsums's
> main advantage is looking for unintended changes (and its indeed a shame
> so many of the important packages come without, that makes bad RAM or
> unreliable controlers a much larger hassle than they needed to be).

I have a /etc/apt/apt.conf.d/90debsums with:

DPkg::Post-Invoke { "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums 
--generate=nocheck -sp /var/cache/apt/archives; fi"; };

But this is obviously on the system self. Another pointer:

http://www.debian.org/doc/manuals/quick-reference/ch-package.en.html#s-debsums

-- 
-- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --


signature.asc
Description: This is a digitally signed message part

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter

Stephan Wehner wrote:

> I have the impression there are projects already, that would do to the
> job with some tweaking (tripwire, ..)
>
Maybe, although I can't see how you get round the problem that you need
to update the checksum database every time you install new or updated
software.

Ok, I see your problem: you want some other source, not your system,
to hold the values (checksums) that ensure integrity. But you do not
mind that it is online (not available when your system is not
connected to the Internet)

So when you run a security-check, and new software has been added, you
might as well define a route to a place to hold the
newly-to-be-calculated checksums (CD-ROM/USB stick, outside server
where you can post/read, gmail-filesystem, etc).

The idea of doing it this way was that you can run a check at any time 
without having to keep updating the checksum database yourself, because 
it's automatically updated online whenever a new package comes out.

A worthwhile ambition, where I still feel it'll be as hard to make it
debian-only as not. Another point is that configuration files play a
big part in the security of your system and a debian-only package
checksum will not be able to capture the state of locally changed
configurations. For example if your fstab says "mount this partitiion
read-only" then you would like to be notified by your check if that
has been changed (maliciously).
From what you and other people have said, I'm realising that running a 
secure system isn't as simple as I had thought at first. What I'm 
thinking of doing is putting this idea to the back of my mind for a 
while, and meanwhile concentrating on learning how to secure my network 
better with the existing tools. Hopefully, once I've got some experience 
with this, then I'll be able to see a bit better how far the process can 
be automated.

Thanks to everyone who has replied for your time.

andy baxter.

andy
> Plus, you might as well bundle the check with a backup-system, since
> you are already looking at your system at rest, and no services are
> running to worry about.
>
> Stephan
>
> On 6/24/07, andy baxter <[EMAIL PROTECTED]> wrote:
>> Jim Popovitch wrote:
>> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>> >
>> >> The difference is that:
>> >>
>> >> a) These all run on the live system they are trying to protect,
>> >>
>> >
>> > Unless you configure them to only write to an offline mount 
point that

>> > is normally ro and only rw through external effort which is in
>> > Tripwire's best practices.
>> >
>> > -Jim P.
>> >
>> OK, this would work. The problem for me is that it would involve 
turning

>> the media r/w and updating the database every time I run apt-get to
>> install security updates, which I do once a week. If I was running a
>> large server farm and I was looking after it full time, this would be
>> OK, but my situation is that I have two machines, both for 
personal use,
>> and I don't want to have to devote my entire life to looking after 
the

>> security on them. The machines are a laptop for general use, and a
>> server which I use for testing and demonstrating small web-based
>> projects I do for people on a voluntary basis. They are connected 
to the

>> internet by ADSL, with only the server set to accept incoming
>> connections.
>>
>> The other night, I had my laptop switched on and a sound file I had
>> never heard before played through the speaker (it said 'hello' in
>> someone else's voice). I'm assuming I've been cracked and it was
>> someone's idea of a joke. I've halted the server in case that was 
their

>> way in, and I'm planning to reinstall both my machines this week, but
>> also looking for a more long term solution which I could put some 
time

>> into now and save myself and anyone else who wants to use it a lot of
>> trouble in the future.
>>
>> What I'm looking for is a solution where I can do security updates 
every

>> week, as my first line of defence, but then have a fallback way of
>> detecting intrusions which I could run maybe every month, which 
doesn't

>> need too much work to keep on top of it once it's been set up. I can
>> probably find ways of improving my security using existing tools, 
but it
>> occurred to me that the system I described would be a pretty 
watertight

>> check on whether a system has been cracked, which is what I'm looking
>> for.
>>
>> andy baxter.
>>
>>
>> --
>> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>> with a subject of "unsubscribe". Trouble? Contact
>> [EMAIL PROTECTED]
>>
>>
>
>

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Stephan Wehner


> I have the impression there are projects already, that would do to the
> job with some tweaking (tripwire, ..)
>
Maybe, although I can't see how you get round the problem that you need
to update the checksum database every time you install new or updated
software.


Ok, I see your problem: you want some other source, not your system,
to hold the values (checksums) that ensure integrity. But you do not
mind that it is online (not available when your system is not
connected to the Internet)

So when you run a security-check, and new software has been added, you
might as well define a route to a place to hold the
newly-to-be-calculated checksums (CD-ROM/USB stick, outside server
where you can post/read, gmail-filesystem, etc).

A worthwhile ambition, where I still feel it'll be as hard to make it
debian-only as not. Another point is that configuration files play a
big part in the security of your system and a debian-only package
checksum will not be able to capture the state of locally changed
configurations. For example if your fstab says "mount this partitiion
read-only" then you would like to be notified by your check if that
has been changed (maliciously).

Stephan






andy
> Plus, you might as well bundle the check with a backup-system, since
> you are already looking at your system at rest, and no services are
> running to worry about.
>
> Stephan
>
> On 6/24/07, andy baxter <[EMAIL PROTECTED]> wrote:
>> Jim Popovitch wrote:
>> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>> >
>> >> The difference is that:
>> >>
>> >> a) These all run on the live system they are trying to protect,
>> >>
>> >
>> > Unless you configure them to only write to an offline mount point that
>> > is normally ro and only rw through external effort which is in
>> > Tripwire's best practices.
>> >
>> > -Jim P.
>> >
>> OK, this would work. The problem for me is that it would involve turning
>> the media r/w and updating the database every time I run apt-get to
>> install security updates, which I do once a week. If I was running a
>> large server farm and I was looking after it full time, this would be
>> OK, but my situation is that I have two machines, both for personal use,
>> and I don't want to have to devote my entire life to looking after the
>> security on them. The machines are a laptop for general use, and a
>> server which I use for testing and demonstrating small web-based
>> projects I do for people on a voluntary basis. They are connected to the
>> internet by ADSL, with only the server set to accept incoming
>> connections.
>>
>> The other night, I had my laptop switched on and a sound file I had
>> never heard before played through the speaker (it said 'hello' in
>> someone else's voice). I'm assuming I've been cracked and it was
>> someone's idea of a joke. I've halted the server in case that was their
>> way in, and I'm planning to reinstall both my machines this week, but
>> also looking for a more long term solution which I could put some time
>> into now and save myself and anyone else who wants to use it a lot of
>> trouble in the future.
>>
>> What I'm looking for is a solution where I can do security updates every
>> week, as my first line of defence, but then have a fallback way of
>> detecting intrusions which I could run maybe every month, which doesn't
>> need too much work to keep on top of it once it's been set up. I can
>> probably find ways of improving my security using existing tools, but it
>> occurred to me that the system I described would be a pretty watertight
>> check on whether a system has been cracked, which is what I'm looking
>> for.
>>
>> andy baxter.
>>
>>
>> --
>> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>> with a subject of "unsubscribe". Trouble? Contact
>> [EMAIL PROTECTED]
>>
>>
>
>


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]





--
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter

Stephan Wehner wrote:

I'm wondering why you are looking only at debian packages. Should the
integrity check not be designed to tell you about all software on your
system?
To be honest, I forgot about this. I'm only running unmodified debian 
packages, but I can see that other people might have systems which use 
custom compiled software.

Then:

* Other Linux distributions would also benefit.
* You get more feedback / input / contributions.
* Your system is checked more thoroughly.

I have the impression there are projects already, that would do to the
job with some tweaking (tripwire, ..)

Maybe, although I can't see how you get round the problem that you need 
to update the checksum database every time you install new or updated 
software.

andy

Plus, you might as well bundle the check with a backup-system, since
you are already looking at your system at rest, and no services are
running to worry about.

Stephan

On 6/24/07, andy baxter <[EMAIL PROTECTED]> wrote:

Jim Popovitch wrote:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>
>> The difference is that:
>>
>> a) These all run on the live system they are trying to protect,
>>
>
> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort which is in
> Tripwire's best practices.
>
> -Jim P.
>
OK, this would work. The problem for me is that it would involve turning
the media r/w and updating the database every time I run apt-get to
install security updates, which I do once a week. If I was running a
large server farm and I was looking after it full time, this would be
OK, but my situation is that I have two machines, both for personal use,
and I don't want to have to devote my entire life to looking after the
security on them. The machines are a laptop for general use, and a
server which I use for testing and demonstrating small web-based
projects I do for people on a voluntary basis. They are connected to the
internet by ADSL, with only the server set to accept incoming 
connections.

The other night, I had my laptop switched on and a sound file I had
never heard before played through the speaker (it said 'hello' in
someone else's voice). I'm assuming I've been cracked and it was
someone's idea of a joke. I've halted the server in case that was their
way in, and I'm planning to reinstall both my machines this week, but
also looking for a more long term solution which I could put some time
into now and save myself and anyone else who wants to use it a lot of
trouble in the future.

What I'm looking for is a solution where I can do security updates every
week, as my first line of defence, but then have a fallback way of
detecting intrusions which I could run maybe every month, which doesn't
need too much work to keep on top of it once it's been set up. I can
probably find ways of improving my security using existing tools, but it
occurred to me that the system I described would be a pretty watertight
check on whether a system has been cracked, which is what I'm looking 
for.

andy baxter.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Bernhard R. Link

* andy baxter <[EMAIL PROTECTED]> [070624 19:49]:
> Thanks for the encouragement. I've been looking into it a bit more, and
> I'm not sure that it would be possible for me to build this by myself,
> as it would need changes to the debian ftp archive to work. I.e. you
> would need there to be a retrievable list of filenames and checksums for
> every package in the debian 'pool' archive, which doesn't exist at
> present. E.g. for every '.deb' file, there would be a '.deb.sums' file
> in the same directory.

This is not needed. The only thing that is needed is some serer having
them. And while this is low profile anyone would do.
Ideally everything within a stable release was already within the image,
so there is no need to activate the network. Once this eats enough
bandwith to be a problem that means it is that much widespread that
there should be no problem to get it into Debian.

> You could avoid the problem of people adding files by also generating a
> list of all the files in certain directories (/bin, /lib, /usr) which
> don't match an installed package. This list should hopefully be small
> and manageable enough that someone could scan through it quickly to see
> if anything odd has changed

I don't think limiting to so few paths is enough. A little and hard to
spot modification in any init script or other programs config or data
files can cause something hidden elsewhere being executed.
And decifing if things are odd or not needs quite some experience.
And of course a single suid binary in a non-standard path called in one
user's init script also suffices to make to whole searching vain when
not found.

Hochachtungsvoll,
Bernhard R. Link


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Stephan Wehner

I'm wondering why you are looking only at debian packages. Should the
integrity check not be designed to tell you about all software on your
system?

Then:

* Other Linux distributions would also benefit.
* You get more feedback / input / contributions.
* Your system is checked more thoroughly.

I have the impression there are projects already, that would do to the
job with some tweaking (tripwire, ..)

Plus, you might as well bundle the check with a backup-system, since
you are already looking at your system at rest, and no services are
running to worry about.

Stephan

On 6/24/07, andy baxter <[EMAIL PROTECTED]> wrote:

Jim Popovitch wrote:
> On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>
>> The difference is that:
>>
>> a) These all run on the live system they are trying to protect,
>>
>
> Unless you configure them to only write to an offline mount point that
> is normally ro and only rw through external effort which is in
> Tripwire's best practices.
>
> -Jim P.
>
OK, this would work. The problem for me is that it would involve turning
the media r/w and updating the database every time I run apt-get to
install security updates, which I do once a week. If I was running a
large server farm and I was looking after it full time, this would be
OK, but my situation is that I have two machines, both for personal use,
and I don't want to have to devote my entire life to looking after the
security on them. The machines are a laptop for general use, and a
server which I use for testing and demonstrating small web-based
projects I do for people on a voluntary basis. They are connected to the
internet by ADSL, with only the server set to accept incoming connections.

The other night, I had my laptop switched on and a sound file I had
never heard before played through the speaker (it said 'hello' in
someone else's voice). I'm assuming I've been cracked and it was
someone's idea of a joke. I've halted the server in case that was their
way in, and I'm planning to reinstall both my machines this week, but
also looking for a more long term solution which I could put some time
into now and save myself and anyone else who wants to use it a lot of
trouble in the future.

What I'm looking for is a solution where I can do security updates every
week, as my first line of defence, but then have a fallback way of
detecting intrusions which I could run maybe every month, which doesn't
need too much work to keep on top of it once it's been set up. I can
probably find ways of improving my security using existing tools, but it
occurred to me that the system I described would be a pretty watertight
check on whether a system has been cracked, which is what I'm looking for.

andy baxter.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

--
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter


Jim Popovitch wrote:

On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
  

The difference is that:

a) These all run on the live system they are trying to protect, 



Unless you configure them to only write to an offline mount point that
is normally ro and only rw through external effort which is in
Tripwire's best practices.

-Jim P.
  
OK, this would work. The problem for me is that it would involve turning 
the media r/w and updating the database every time I run apt-get to 
install security updates, which I do once a week. If I was running a 
large server farm and I was looking after it full time, this would be 
OK, but my situation is that I have two machines, both for personal use, 
and I don't want to have to devote my entire life to looking after the 
security on them. The machines are a laptop for general use, and a 
server which I use for testing and demonstrating small web-based 
projects I do for people on a voluntary basis. They are connected to the 
internet by ADSL, with only the server set to accept incoming connections.


The other night, I had my laptop switched on and a sound file I had 
never heard before played through the speaker (it said 'hello' in 
someone else's voice). I'm assuming I've been cracked and it was 
someone's idea of a joke. I've halted the server in case that was their 
way in, and I'm planning to reinstall both my machines this week, but 
also looking for a more long term solution which I could put some time 
into now and save myself and anyone else who wants to use it a lot of 
trouble in the future.


What I'm looking for is a solution where I can do security updates every 
week, as my first line of defence, but then have a fallback way of 
detecting intrusions which I could run maybe every month, which doesn't 
need too much work to keep on top of it once it's been set up. I can 
probably find ways of improving my security using existing tools, but it 
occurred to me that the system I described would be a pretty watertight 
check on whether a system has been cracked, which is what I'm looking for.


andy baxter.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter

Thanks for the encouragement. I've been looking into it a bit more, and 
I'm not sure that it would be possible for me to build this by myself, 
as it would need changes to the debian ftp archive to work. I.e. you 
would need there to be a retrievable list of filenames and checksums for 
every package in the debian 'pool' archive, which doesn't exist at 
present. E.g. for every '.deb' file, there would be a '.deb.sums' file 
in the same directory. So unless someone at debian thinks it's a good 
enough idea to justify adding this information to the archive, I don't 
think it's going to happen as I originally thought. Another way to do it 
is to keep all of the package files that have been used to build the 
system on the machine's hard disk, check them first using the checksums 
in 'Packages.gz', and then retrieve the md5sums for the individual files 
from the locally archived packages.


You could avoid the problem of people adding files by also generating a 
list of all the files in certain directories (/bin, /lib, /usr) which 
don't match an installed package. This list should hopefully be small 
and manageable enough that someone could scan through it quickly to see 
if anything odd has changed.


As I said in my first email, I'm not sure if I'm up for trying to do 
this all by myself, but I'll let you know if I do make a start on it.


cheers,

andy

Bernhard R. Link wrote:

* andy baxter <[EMAIL PROTECTED]> [070624 18:19]:
  
I've tried using debsums - however it's not really a good check on your 
system because the program and the data it's using both come from the 
system you are trying to check, so could be compromised. Also, it seems 
to miss out many important packages - e.g. here's the standard error 
output from a recent run of debsums on my server:



I had someone in the past considered this, too. First of all debsums's
main advantage is looking for unintended changes (and its indeed a shame
so many of the important packages come without, that makes bad RAM or
unreliable controlers a much larger hassle than they needed to be).

To make anything security relevant out of them, the CD would need to
have checksums of the contents of those files (for the different
versions of the packages) and the missing md5sum files on it.

But even that would only make sure none of the official files are
changed, while it is more easy to cause harm by simply adding stuff.
(Even changing can happen by just uninstalling and puting the stuff
manually in there).

So the whole thing would have to be combined with something like a
security focused checker (perhaps similar to cruft).

That together with some code to automatically detect the system and
use the right partitions at the right place would surely be a nice tool,
but if would for sure be an enourmous amount of work before anything
halfly usefull comes out of it.

So good luck and let me know when it is finished. (Because I doubt
anyone else will find the time to do it).

Hochachtungsvoll,
Bernhard R. Link


  



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Bernhard R. Link

* andy baxter <[EMAIL PROTECTED]> [070624 18:19]:
> I've tried using debsums - however it's not really a good check on your 
> system because the program and the data it's using both come from the 
> system you are trying to check, so could be compromised. Also, it seems 
> to miss out many important packages - e.g. here's the standard error 
> output from a recent run of debsums on my server:

I had someone in the past considered this, too. First of all debsums's
main advantage is looking for unintended changes (and its indeed a shame
so many of the important packages come without, that makes bad RAM or
unreliable controlers a much larger hassle than they needed to be).

To make anything security relevant out of them, the CD would need to
have checksums of the contents of those files (for the different
versions of the packages) and the missing md5sum files on it.

But even that would only make sure none of the official files are
changed, while it is more easy to cause harm by simply adding stuff.
(Even changing can happen by just uninstalling and puting the stuff
manually in there).

So the whole thing would have to be combined with something like a
security focused checker (perhaps similar to cruft).

That together with some code to automatically detect the system and
use the right partitions at the right place would surely be a nice tool,
but if would for sure be an enourmous amount of work before anything
halfly usefull comes out of it.

So good luck and let me know when it is finished. (Because I doubt
anyone else will find the time to do it).

Hochachtungsvoll,
Bernhard R. Link


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Daniel van Eeden

Andy,

Sounds like you're looking for debsums[1]? A CD/DVD is possible but
doesn't allow fingerprint updates. I know that certain Sony MemoryStick
are equipped with an rw/ro switch. So a cardreader or usb thumbdrive
makes it posible to only use 1 medium instead of two and it still has
the read-only security.

[1] http://packages.debian.org/stable/admin/debsums

Cheers,

Daniel van Eeden

On Sun, 2007-06-24 at 15:23 +0100, andy baxter wrote:
> hello,
> 
> I am writing to ask what you think of the following idea? Something that 
> I would like to see is a bootable CDROM which can check all the packages 
> on a debian system. My idea is that it would work roughly as follows:
> 
> - You halt the machine and put in a bootable CD, then reboot.
> - The machine boots from the CD, which is read-only and known to be good.
> - It boots into a minimal linux system which will do nothing but the 
> following:
> - ask you whether you are booting for the first or second time.
> - Read a floppy or other removable media to find configuration 
> information for the machine being checked.
> - Read the host machine's hard drive to find a list of all installed 
> packages.
> - Connect once to the network to retrieve a list of files and their 
> checksums for each of these packages from a debian server. This list 
> could be saved either to a designated partition on the hard drive, or to 
> removable media.
> - Disconnect from the network.
> - Reboot itself.
> - The second time round, don't connect to the network.
> - instead, check all the binaries (and optionally config files) against 
> the checksums.
> - generate some kind of easy to read report on screen, or else save it 
> to removable media.
> 
> Do you think this would work (i.e. be a good check on whether your 
> system has been compromised), and is it worth doing? I'm not sure if I 
> have the skills to take on something like this all by myself, but I 
> would be willing to put some time in to help where I can if anyone else 
> wants to have a go at it.
> 
> Alternatively, if people don't think it's worth your while developing 
> something like this, where should I start looking to try to put it 
> together myself, and is there anyone at debian who might be able to help 
> me?
> 
> yours,
> 
> andy baxter.
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread Jim Popovitch

On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
> The difference is that:
> 
> a) These all run on the live system they are trying to protect, 

Unless you configure them to only write to an offline mount point that
is normally ro and only rw through external effort which is in
Tripwire's best practices.

-Jim P.

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter

I've tried using debsums - however it's not really a good check on your 
system because the program and the data it's using both come from the 
system you are trying to check, so could be compromised. Also, it seems 
to miss out many important packages - e.g. here's the standard error 
output from a recent run of debsums on my server:


whale:~# cat debsums.err
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bsdutils
debsums: no md5sums for console-data
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for hotplug
debsums: no md5sums for initscripts
debsums: no md5sums for kernel-image-2.4.27-2-586tsc
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: no md5sums for libgdbm3
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for lynx
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for modutils
debsums: no md5sums for mount
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: no md5sums for ssh
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux

What do you mean by 'fingerprint updates?'

andy.

Daniel van Eeden wrote:

Andy,

Sounds like you're looking for debsums[1]? A CD/DVD is possible but
doesn't allow fingerprint updates. I know that certain Sony MemoryStick
are equipped with an rw/ro switch. So a cardreader or usb thumbdrive
makes it posible to only use 1 medium instead of two and it still has
the read-only security.

[1] http://packages.debian.org/stable/admin/debsums

Cheers,

Daniel van Eeden

On Sun, 2007-06-24 at 15:23 +0100, andy baxter wrote:
  

hello,

I am writing to ask what you think of the following idea? Something that 
I would like to see is a bootable CDROM which can check all the packages 
on a debian system. My idea is that it would work roughly as follows:


- You halt the machine and put in a bootable CD, then reboot.
- The machine boots from the CD, which is read-only and known to be good.
- It boots into a minimal linux system which will do nothing but the 
following:

- ask you whether you are booting for the first or second time.
- Read a floppy or other removable media to find configuration 
information for the machine being checked.
- Read the host machine's hard drive to find a list of all installed 
packages.
- Connect once to the network to retrieve a list of files and their 
checksums for each of these packages from a debian server. This list 
could be saved either to a designated partition on the hard drive, or to 
removable media.

- Disconnect from the network.
- Reboot itself.
- The second time round, don't connect to the network.
- instead, check all the binaries (and optionally config files) against 
the checksums.
- generate some kind of easy to read report on screen, or else save it 
to removable media.


Do you think this would work (i.e. be a good check on whether your 
system has been compromised), and is it worth doing? I'm not sure if I 
have the skills to take on something like this all by myself, but I 
would be willing to put some time in to help where I can if anyone else 
wants to have a go at it.


Alternatively, if people don't think it's worth your while developing 
something like this, where should I start looking to try to put it 
together myself, and is there anyone at debian who might be able to help 
me?


yours,

andy baxter.






  



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

2007-06-24 Thread andy baxter


The difference is that:

a) These all run on the live system they are trying to protect, so in 
principle they can be neutralised at the same time as the system is 
attacked, the same as any other binary. E.g. like the way attackers 
modify system programs like 'find' to hide files they have installed.
b) Their databases need to be updated every time you update your system, 
whereas this approach would update itself automatically whenever you 
downloaded a new package or update.


andy.

Felix Windt wrote:

Tripwire, integrit and aide all perform something similar to what you
described.

  

-Original Message-
From: andy baxter [mailto:[EMAIL PROTECTED] 
Sent: Sunday, June 24, 2007 7:23 AM

To: debian-security@lists.debian.org
Subject: security idea - bootable CD to check your system

hello,

I am writing to ask what you think of the following idea? 
Something that I would like to see is a bootable CDROM which 
can check all the packages on a debian system. My idea is 
that it would work roughly as follows:


- You halt the machine and put in a bootable CD, then reboot.
- The machine boots from the CD, which is read-only and known 
to be good.

- It boots into a minimal linux system which will do nothing but the
following:
- ask you whether you are booting for the first or second time.
- Read a floppy or other removable media to find 
configuration information for the machine being checked.
- Read the host machine's hard drive to find a list of all 
installed packages.
- Connect once to the network to retrieve a list of files and 
their checksums for each of these packages from a debian 
server. This list could be saved either to a designated 
partition on the hard drive, or to removable media.

- Disconnect from the network.
- Reboot itself.
- The second time round, don't connect to the network.
- instead, check all the binaries (and optionally config 
files) against the checksums.
- generate some kind of easy to read report on screen, or 
else save it to removable media.


Do you think this would work (i.e. be a good check on whether 
your system has been compromised), and is it worth doing? I'm 
not sure if I have the skills to take on something like this 
all by myself, but I would be willing to put some time in to 
help where I can if anyone else wants to have a go at it.


Alternatively, if people don't think it's worth your while 
developing something like this, where should I start looking 
to try to put it together myself, and is there anyone at 
debian who might be able to help me?


yours,

andy baxter.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: security idea - bootable CD to check your system

2007-06-24 Thread Felix Windt

Tripwire, integrit and aide all perform something similar to what you
described.

> -Original Message-
> From: andy baxter [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, June 24, 2007 7:23 AM
> To: debian-security@lists.debian.org
> Subject: security idea - bootable CD to check your system
> 
> hello,
> 
> I am writing to ask what you think of the following idea? 
> Something that I would like to see is a bootable CDROM which 
> can check all the packages on a debian system. My idea is 
> that it would work roughly as follows:
> 
> - You halt the machine and put in a bootable CD, then reboot.
> - The machine boots from the CD, which is read-only and known 
> to be good.
> - It boots into a minimal linux system which will do nothing but the
> following:
> - ask you whether you are booting for the first or second time.
> - Read a floppy or other removable media to find 
> configuration information for the machine being checked.
> - Read the host machine's hard drive to find a list of all 
> installed packages.
> - Connect once to the network to retrieve a list of files and 
> their checksums for each of these packages from a debian 
> server. This list could be saved either to a designated 
> partition on the hard drive, or to removable media.
> - Disconnect from the network.
> - Reboot itself.
> - The second time round, don't connect to the network.
> - instead, check all the binaries (and optionally config 
> files) against the checksums.
> - generate some kind of easy to read report on screen, or 
> else save it to removable media.
> 
> Do you think this would work (i.e. be a good check on whether 
> your system has been compromised), and is it worth doing? I'm 
> not sure if I have the skills to take on something like this 
> all by myself, but I would be willing to put some time in to 
> help where I can if anyone else wants to have a go at it.
> 
> Alternatively, if people don't think it's worth your while 
> developing something like this, where should I start looking 
> to try to put it together myself, and is there anyone at 
> debian who might be able to help me?
> 
> yours,
> 
> andy baxter.
> 
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 


smime.p7s
Description: S/MIME cryptographic signature

security idea - bootable CD to check your system

2007-06-24 Thread andy baxter


hello,

I am writing to ask what you think of the following idea? Something that 
I would like to see is a bootable CDROM which can check all the packages 
on a debian system. My idea is that it would work roughly as follows:


- You halt the machine and put in a bootable CD, then reboot.
- The machine boots from the CD, which is read-only and known to be good.
- It boots into a minimal linux system which will do nothing but the 
following:

- ask you whether you are booting for the first or second time.
- Read a floppy or other removable media to find configuration 
information for the machine being checked.
- Read the host machine's hard drive to find a list of all installed 
packages.
- Connect once to the network to retrieve a list of files and their 
checksums for each of these packages from a debian server. This list 
could be saved either to a designated partition on the hard drive, or to 
removable media.

- Disconnect from the network.
- Reboot itself.
- The second time round, don't connect to the network.
- instead, check all the binaries (and optionally config files) against 
the checksums.
- generate some kind of easy to read report on screen, or else save it 
to removable media.


Do you think this would work (i.e. be a good check on whether your 
system has been compromised), and is it worth doing? I'm not sure if I 
have the skills to take on something like this all by myself, but I 
would be willing to put some time in to help where I can if anyone else 
wants to have a go at it.


Alternatively, if people don't think it's worth your while developing 
something like this, where should I start looking to try to put it 
together myself, and is there anyone at debian who might be able to help 
me?


yours,

andy baxter.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

Re: security idea - bootable CD to check your system

RE: security idea - bootable CD to check your system

security idea - bootable CD to check your system

17 matches

Site Navigation

Mail list logo

Footer information