Guaranteeing running code is signed
Michael Schwendt
mschwendt at gmail.com
Sun May 10 11:06:22 UTC 2009
On Sat, 9 May 2009 22:28:58 +0300, Ahmed wrote:
> while rpm's verify options are useful in many cases, they are not in this
> one. The use case is, Admin A takes ownership of server-C from admin B,
> admin-B might have infested server-C with all kinds of "custom" code (and
> even worse, scripts executing as root). How does admin-A ensure no custom
> code (scripts are probably even harder?) is running on server-C.This looks
> to me like it needs collaboration from the auditing subsystem (whenever a
> process starts), and selinux (detecting/blocking) executables not meeting
> signing requests, or at least logging what happened
>
> Does fedora have the tools to accomplish such a task today, if not what's
> missing
If at least the admins in your scenario are trusted, you could make them
use intrusion detection tools like AIDE (package "aide") or Tripwire
(package "tripwire") as these can cover all files found on the system (not
just those known by the RPM database). The important thing to do is to
ensure that the admins only update the AIDE/Tripwire database (and store
it on external media) when the system installation is in a known good
state. If any of the admins don't pay proper attention to reports of files
that have changed and update the checksums database nevertheless, you lose.
More information about the fedora-devel-list
mailing list