Guaranteeing running code is signed

Ahmed Kamal email.ahmedkamal at googlemail.com
Sat May 9 19:28:58 UTC 2009


while rpm's verify options are useful in many cases, they are not in this
one. The use case is, Admin A takes ownership of server-C from admin B,
admin-B might have infested server-C with all kinds of "custom" code (and
even worse, scripts executing as root). How does admin-A ensure no custom
code (scripts are probably even harder?) is running on server-C.This looks
to me like it needs collaboration from the auditing subsystem (whenever a
process starts), and selinux (detecting/blocking) executables not meeting
signing requests, or at least logging what happened

Does fedora have the tools to accomplish such a task today, if not what's
missing

Regards

On Sat, May 9, 2009 at 10:12 PM, Mathieu Bridon (bochecha) <
bochecha at fedoraproject.org> wrote:

> Hi,
>
> > Is there any technology in fedora, that enables me to ensure that ALL
> > running code on a certain server (even code not installed from RPMs, such
> as
> > say by a legacy admin), has been signed by redhat, and to warn me about
> > un-signed code that is running or about to run. I am interested to verify
> a
> > server is in a "known-good" state
>
> I don't know of any « One True Solution », but you could use things like :
> $ rpm -qaV
>  -> this will list all files modified _after_ they were installed via RPM
> $ rpm -qf <some file>
>  -> this will tell you the package that this file belongs to
>
> You can then use the « --queryformat » option of RPM to get various
> informations about a package, for example where did it come from.
>
> For files installed not using RPM, I'm not sure how to verify this,
> but as Fedora only provides files in RPMs, I'm pretty confident that
> no file outside a RPM will be signed by Fedora.
>
> For RedHat, I have no idea, but you are on a Fedora mailing-list ;)
>
>
> ----------
>
> Mathieu Bridon (bochecha)
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/devel/attachments/20090509/17d6e60c/attachment.html 


More information about the devel mailing list