On Fri, Feb 22, 2002 at 05:55:24PM -0500, Jason Dixon wrote: > md5sum chkrootkit >> /etc/chkrootkit.md5 > [run the same command for each binary; command is 'md5' in *BSD] > > chattr +i /etc/chkrootkit.md5 [Linux] > chflags schg /etc/chkrootkit.md5 [*BSD] > > To automate these utilities, I've setup a cron job to execute a perl script > I've created which first authenticates our stored md5 digests against the > current md5 values. There is little point in going to so much trouble to protect /etc/chkrootkit.md5 when an attacker could simply subvert your cron job, the script, the MD5 module, perl, the shell, or even the kernel. You must not use components from an untrusted system in order to perform validation of the system. One way to perform a trusted validation would be to boot the system from read-only, known good media, and check the system against a database. Both the database and the tools used to verify it must also reside on read-only, known good media. This kind of procedure is also best performed while the system is disconnected from the network. -- - mdz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 14:41:49 PST