OK, back to context: We were talking about the situation when you can reasonably assume the system was compromised.
If the system is not in such a desolate state, you can run the file integrity check from about any point, including the to-be-checked system itself.
KISS
Well, then you've already failed. The compromised system can lie to you as much as it wants, including an in-memory modification of the checker program to always return the checksums to always report success / the expected checksums / checksums of an uncompromised system.
Sebastian, I realize that English isn't your primary language, but you really do need more practice in reading it. Take your dictionary and look up the word "removable". Then look at the word "install" and see how they relate.
Actually, I meant what I wrote - the media should not even be in the drive - on the off chance that someone trying to mount it on the off chance that something interesting/useful might be there.
md5sum works on a "per file" basis. What you _could_ do is to make an md5sum of the partition (remember, "everything is a file"), although there could be rather interesting complications if the entire partition is not mounted read-only.
We're a bit more paranoid, and anyway we're mainly rpm based. We have two individuals tasked with monitoring the security groups and downloading all errata as source packages. They then do an audit of the source before locally building the binaries and putting those onto a local updates server. For ordinary stuff, there is a nightly cron-job run on all systems that looks in the errata server, and installs anything found there. It also sends a mail with an "installed package list" to an inventory server so we can keep track of things.
A neighbor teaches UNIX at a local junior college, and the "Introduction to UNIX" class teaches basic concepts and some applications (vi, mail, man, cat, wc, more, less, sort, tr, sed, grep, cut, awk, find, regular expressions, pipes and redirections). The first two or three weeks of class (3 hour class twice a week), the students are flailing away - way over their head. By the ninth week, they are doing "one-liners" like
[compton ~]$ history | sed 's/^......//' | tr '|' '\\n' | sed 's/^ *//' | cut -d' ' -f1 | sort -u | wc -l 84 [compton ~]$
He has a hand-out for 'vi' that is five pages long. The textbook used covers vi in one chapter of 48 pages. It also has 60 pages in a chapter on 'ed' and 'ex', but he just skims over that. Looking at the O'Reilly catalog
formatting link
the "Learning the vi Editor, 6th Edition" (ISBN 1-56592-426-6) is 344 pages, while the chapter covering vi in the 'Linux in a Nutshell' and 'UNIX in a Nutshell' is less than 15 pages.
You don't need to know everything about vi to use it effectively. Depending on what packages your distribution supplied, you might have the 'vim' clone, and that comes with
[compton ~]$ whatis vim vimtutor vim (1) - Vi IMproved, a programmers text editor vim [ex] (1) - Vi IMproved, a programmers text editor vim [gvim] (1) - Vi IMproved, a programmers text editor vim [rvi] (1) - Vi IMproved, a programmers text editor vim [rview] (1) - Vi IMproved, a programmers text editor vim [vi] (1) - Vi IMproved, a programmers text editor vim [view] (1) - Vi IMproved, a programmers text editor vimtutor (1) - the Vim tutor [compton ~]$ rpm -qd `rpm -qa | grep ^vim` | wc -l 311 [compton ~]$
The latter command is rpm specific, but queries the installed packages that begin with the string 'vim' to count the number of files identified as "documentation" (man pages, help pages, HOWTOs, FAQs, and general information) that is installed from those packages.
The disadvantage of 'debsums' is that is that is only monitors the files that belong to packages. Your home directory, data for your server and so on is not checked - as the Debian package maintainers can't know what those files/directories are going to look like. There is a 'debsums_gen' tool, but that's probably not going to help either. A disadvantage of these package tools is shown in the header of the man pages:
[van-allen ~]$ whatis debsums debsums_gen debsums (1) - check the MD5 sums of installed Debian packages debsums_gen (8) - Generate /var/lib/dpkg/info/*.md5sums for packages lacking it [van-allen ~]$
They only do MD5 sums. (rpm is similar, but also notes size, permissions and ownerships). Compare that to a designated Integrity checker. In fact, look at the bottom of the debsums(1) man page: debsums is intended primarily as a way of determining what installed files have been locally modified by the administrator or damaged by media errors and is of limited use as a security tool. If you are looking for an integrity checker that can run from safe media, do integrity checks on checksum databases and can be easily configured to run periodically to warn the admin of changes see other tools such as: aide, integrit, samhain, or tripwire. I'm aware of an application called 'fcheck(1)' which can be found on some Debian installations. It was a Perl script. Two other possibilities are 'fam' and 'gamin' - although 'fam' has gotten a reputation as a resource pig.
I just have to thank you for you're time taken. And tell you that I am going to use Aide, I have been struggling with the aide.conf a couple of hours, and now I believe that I have a functional .conf for my desktop (haven't had time to make it for the server), but there is no way I gonna be able to use a floppy-disk the size is almost 2MB, so have to keep it on an USB-stick instead. The advantage is that I be able to have several installations on that USB-stick (128MB), the disadvantage is that I wan't to use the stick for other purposes to.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.