Re: Certifying a RedHat Install
From: Zow (zow_at_llnl.gov)
Date: 07/15/04
- Previous message: Peter H. Lemieux: "Re: Certifying a RedHat Install"
- In reply to: corey: "RE: Certifying a RedHat Install"
- Next in thread: Alan Hicks: "Re: Certifying a RedHat Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "corey" <Corey.Hart@synopsys.com> Date: Thu, 15 Jul 2004 14:02:08 -0700
> Yeah you can an rpm -Va, but who the hell installs a root =
> kit, backdoor, etc via an rpm?
Actually, in the case of a naive/stupid attacker, an rpm -Va will catch them
as it will detect that a binary such as /bin/ls doesn't match the one
installed from that rpm. Putting aside for the moment the fact that most any
attacker (even script kiddies) will use a rootkit that will return the proper
checksum, this brings up an interesting attack scenero: if the attacker does
install their new tools via an rpm, the rpm -Va will NOT catch it, because
now the files match the package they're installed from!
The important thing to keep in mind here is that rpm's verify functionality
was designed to detect random or accidental corruption or deletion of files,
not malicious activity.
Terry
#include <stdDisclaimer.hh>
- Previous message: Peter H. Lemieux: "Re: Certifying a RedHat Install"
- In reply to: corey: "RE: Certifying a RedHat Install"
- Next in thread: Alan Hicks: "Re: Certifying a RedHat Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
