[sf-lug] about /usr/local and package management

jim stockford jim at well.com
Wed Oct 18 15:05:20 PDT 2006


best sense i can make of this is you need a
second, trusted machine on which to run
something that can effectively peek into a
suspected machine.

'course there's the chicken-egg business--
can you really trust your trusted machine,
even a gentoo-like approach needs a
compiler, can you trust that...? How to get
a trusted machine in the first place (harks
of Asheesh's warnings)?



On Oct 18, 2006, at 2:33 PM, Rick Moen wrote:

> Quoting jim stockford (jim at well.com):
>> On Oct 18, 2006, at 9:54 AM, Rick Moen wrote:
>>> [1] How to check the security of a system whose software you don't
>>> trust is a non-trivial problem.
>>
>> well, there's downloading the source code, reading every line (and
>> understanding each), and compiling and installing.  Seems doable for
>> chkrootkit and the like....
>
> ...which might suffice if you had any reason to think that the program,
> once run, will do what you think it should, even if the machine is
> compromised.  Unfortunately, _if_ the machine is compromised, you 
> can't.
>
> See the problem?
>
>> there's md5sum and trusting the maker.
>
> You cannot trust the output of md5sum if it's running on a compromised
> system.  The system controls what md5sum sees, what it does, and what 
> it
> outputs.
>
>> there's trusting the distro.
>
> Unwise if the reason you're seeking to run chkrootkit is because you
> think your system might be compromised.  (If you mean "trust the
> distro's package integrity on its update servers", that's a good start,
> but that still leaves not being able to trust the _system_ on which the
> tool runs.)
>
>> A NOC guy taught me "trust is efficient". Your tho'ts?
>
> I'm not sure what the guy meant in context -- but I _do_ know that it
> seems uncommonly silly to run a security-checking tool on a suspect
> (i.e., possibly root-compromised) system and put any faith at all in 
> its
> output.
>
> E.g., I have to laugh whenever I hear someone say "Well, I suspected
> that my system was root-compromised, but 'rpm -qa' came up clean."
> (If one suspects root compromise, why then are the contents of
> /var/lib/rpm/* suddenly trustworthy, not to mention /usr/bin/rpm,
> the console support libs, etc.?)
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
>





More information about the sf-lug mailing list