[Gllug] coreutils checksums

John Edwards john at cornerstonelinux.co.uk
Mon Jun 13 13:49:16 UTC 2011

On Mon, Jun 13, 2011 at 02:27:05PM +0100, James Courtier-Dutton wrote:
> I use that fact to perform a sort of virus scan, but instead of using
> virus signatures, I just look for the checksum for each binary
> matching the checksum manifest included in the install package.
> Looking at the man page for "prelink" does seem to agree with the
> other people posting.
> "prelink" actually modifies the executable.
> I might have to update my scanner to take account of pre-link in
> future if ubuntu or gentoo use it in future.

Debian and Ubuntu (and probably Gentoo too) have it as an optional
package, and very little should depend on it (only thing I can think
of is some early Debian packages of Open Office).

From what I remember of prelink on Debian from many years ago, it
should only modify a package when it is installed. It does rather
reduce the effectiveness of the 'debsum' package, but you can still
use things like aide or tripwire to record the post-install checksums
of binaries.

I've a script called "adelaide" that does checks at regular intervals
and emails any changes, and I think the Debian/Ubuntu package of aide
now have something similar. Combine that with set maintanence windows
and you can be quickly alerted to any changes.

A more efficient and interesting way could be to use something like
inotify to monitoring any changes to the system binaries and trigger
the scanning. Something like incron even:

|    John Edwards   Email: john at cornerstonelinux.co.uk    |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 205 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20110613/eea39631/attachment.pgp>
-------------- next part --------------
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list