bootable readonly media in your pocket Re: yes, its t0rn again

[marc <marc () ZOUNDS NET>]

On Thu, 4 Jan 2001, Robert Horn wrote:

> > Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
> > > Make sure your md5sum binary is also on immutable media. It doesn't do you any
> > > good to have known good checksums, if the binary that does the checking can be
> > > hacked to tell you what the hacker wants it to tell you.

        Does anyone know of an iso distribution of linux already built to
do this?  I am familiar w/ trinux, but id like a bootable cd that already
has the ability to mount different filesystems, md5 check, etc.  At SANS i
saw someone was walking around giving out small recovery cdroms like this
that were cut down to the size of a credit card.  Id really like one of
those.

marc

> > That may also not be enough. A library could have been hacked, md5sum should be
> > statically linked. And, if a kernel module has been inserted, then all bets
> > are off, you would have to reboot from a known kernel to be sure.
>
> One convenience for some systems is to create a mountable and bootable
> CDROM with:
>  1. The md5sums
>  2. A program for checking the md5sums.  If you write one of your own
>     in C or some other language that generates executable code you
>     increase the difficulty of a modified kernel recognizing and
>     defeating it.
>  3. A usable small complete OS for initial forensics.
>
> A modified kernel can hide modifications by trapping filesystem I/O, so
> only rebooting directly from the CDROM with the known good OS and tools
> is the only way to detect kernel modifications.  Using a CDROM is just a
> convenience. It avoids dis-assembling the computer to take the suspect
> disks over to another known good system for analysis.  It is usually
> much easier to reboot from the CDROM.
>
> If they've penetrated the boot ROM, well, you can reflash it from a
> known good copy.
>
> R Horn

marc

import sigfile