[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux last straw

Les Mikesell wrote:
Jacques B. wrote:

You can't honestly suggest that there should be a tool that can check
your entire system for any evidence of intrusion and fix it?

Well yes... Since there isn't a handier one, I usually do it by restoring a backup from a time when I trusted the machine into a subdirectory of some other machine, then running rsync -avn against the live one to see what has changed.

That might not be good enough. 'rsync -a' will skip more thorough checks if two files size and mod times match. An attacker could fairly easily produce a binary of the same size, and fix the mod time after installation.

If you add '-I', then rsync will report comparing all of the files in your system, so that's no good either. You probably need to use a backup copy of the rpm database to do an 'rpm -Va' to verify your system files.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]