On Thu, 4 Jan 2001, Robert Horn wrote:

> > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
> >> Make sure your md5sum binary is also on immutable media. It doesn't do you any
> >> good to have known good checksums, if the binary that does the checking can be
> >> hacked to tell you what the hacker wants it to tell you.

        Does anyone know of an iso distribution of linux already built to
do this? I am familiar w/ trinux, but id like a bootable cd that already
has the ability to mount different filesystems, md5 check, etc. At SANS i
saw someone was walking around giving out small recovery cdroms like this
that were cut down to the size of a credit card. Id really like one of
those.

marc

> >
> > That may also not be enough. A library could have been hacked, md5sum should be
> > statically linked. And, if a kernel module has been inserted, then all bets
> > are off, you would have to reboot from a known kernel to be sure.
>
> One convenience for some systems is to create a mountable and bootable
> CDROM with:
> 1. The md5sums
> 2. A program for checking the md5sums. If you write one of your own
> in C or some other language that generates executable code you
> increase the difficulty of a modified kernel recognizing and
> defeating it.
> 3. A usable small complete OS for initial forensics.
>
> A modified kernel can hide modifications by trapping filesystem I/O, so
> only rebooting directly from the CDROM with the known good OS and tools
> is the only way to detect kernel modifications. Using a CDROM is just a
> convenience. It avoids dis-assembling the computer to take the suspect
> disks over to another known good system for analysis. It is usually
> much easier to reboot from the CDROM.
>
> If they've penetrated the boot ROM, well, you can reflash it from a
> known good copy.
>
> R Horn
>

marc

import sigfile

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]