SELinux last straw
Gordon Messmer
yinyang at eburg.com
Wed Oct 17 23:27:29 UTC 2007
Les Mikesell wrote:
> Jacques B. wrote:
>>
>> You can't honestly suggest that there should be a tool that can check
>> your entire system for any evidence of intrusion and fix it?
>
> Well yes... Since there isn't a handier one, I usually do it by
> restoring a backup from a time when I trusted the machine into a
> subdirectory of some other machine, then running rsync -avn against the
> live one to see what has changed.
That might not be good enough. 'rsync -a' will skip more thorough
checks if two files size and mod times match. An attacker could fairly
easily produce a binary of the same size, and fix the mod time after
installation.
If you add '-I', then rsync will report comparing all of the files in
your system, so that's no good either. You probably need to use a
backup copy of the rpm database to do an 'rpm -Va' to verify your system
files.
More information about the fedora-list
mailing list