Re: [Tiger-devel] CVS Tiger patches 20030926

[Javier Fernández-Sanguino Peña]

On Tue, Nov 25, 2003 at 02:41:37AM +0100, unspawn wrote:
> > > 5. Task #1643: Include checks for RedHat using rpm -VA Even though
> > 
> > [BTW, did you provide a patch with this one, I don't find it in the
> > tar.gz] Even if not on read-only media, an rpm -VA database is still
> No, but I'll code one. I think a config switch for selecting scanning 
> of just sys/user binary + config dirs or "full scan" would do best.

I'm not sure including config dirs is a good idea, since they might be 
modified by the use and/or scripts. At least that's why the 
systems/Linux/2/deb_checkmd5sums (same concept implemented for Debian) 
avoids conffiles completely.

> > Notice, however, that many rootkits will use extended attributes to
> > block changes of files modified by rootkits so I would not rely too much
> > on that check.
> Yeah, if we're up against a syscall-modifying entity then any output will 
> be of lesser or no value. From moderating part of LinuxQuestions.org I 
> can say it's a sad thing to see a lot of majority of Linux users running 
> their boxen w/o any filesystem integrity scanning, OTOH it's quite funny 
> to see how RK's like SuckIT can fsck up spitting out error messages :-]

The main issue I believe is users setting up systems without a proper 
partitioning scheme that enables them to 'ro' /usr, for example. In any 
case, part of the blame is probably on the distribution side since this is 
something that could be more or less automated.

> > It would be wise to do this check for /usr, /bin and /sbin at least.  
> > It could also warn the user if /tmp is in the same partition as / (or if
> > /home is). I think an "advisor" of improper partition setups would
> > really be useful. Care to code it? :-)
> 
> I'll code one. Should be fun.

Great! Thanks.

Javi

signature.asc
Description: Digital signature