wtf ... Something strips installed binaries???
Richard W.M. Jones
rjones at redhat.com
Wed Sep 3 10:53:53 UTC 2008
On Tue, Sep 02, 2008 at 11:07:45AM -0200, Thomas M Steenholdt wrote:
> Bill Crawford wrote:
>> Thomas M Steenholdt wrote:
>>> I wasn't even aware that prelinking actually changed the files. Isn't this kind of dangerous from a system-integrity point-of-view. How can we ever validate binaries if they are modified on purpose?
>>
>> With "prelink --verify" ?
>>
>
> I can't see how that would actually verify that the binary has not been
> modified by a rootkit or whatever? rpm -V should be able to detect this,
> on the other hand, but how it works in conjunction with prelinking I
> don't know...
Another problem is that it prevents binaries from being verified from
outside the machine. I've been looking at tools which verify binaries
in a virtual machine, from outside the virtual machine (to ensure a
high degree of integrity for the inspection tool). Same applies for
AIDE (http://www.cs.tut.fi/~rammer/aide.html) if you run it from a
CD-ROM or from the host on a virtual machine.
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
More information about the devel
mailing list