Re: File Integrity Check

["Marcus J. Ranum" <mjr () nfr net>]

> In pursuit of determining critical system files for modifications I was
> thinking the checksum prog 'sum' would be sufficient.  Understanding
> that time,date, and file size can be modified under the ext2fs/ufs
> directory table.  Is it possible to also make the 'sum' checksum appear
> to be correct?

Yes, the "sum" checksum is not particularly resistant to deliberate
faking. It's an example of a normal checksum - resistant to accidental
changes but not deliberate tampering.

> I was under the impression tripwire uses its own special checksum prog
> to verify files, although would 'sum' be sufficient as well?  If not
> does anyone know of better more thorough checksum app?

Tripwire's probably the thing to use. It uses a mix of cryptographic
checksums including the de facto standard(s) SHA1 and MD5. That type
of checksumming algorithm is designed to resistant to deliberate
manipulation, and uses a much larger checksum output. It'd require
extreme devotion and sophistication to defeat the checksum algorithms
(i.e.: a national intelligence agency). That's not likely, since
there are easier parts of the system to defeat.

In short, I'd suggest using tripwire. If that's not an option for
whatever reason, you can also use PGP to generate high quality
checksums of files.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr