Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] netstat-output
  • From: Peter van den Heuvel <peter@xxxxxxxxxxxxxxxx>
  • Date: Tue, 05 Dec 2000 22:39:28 +0100
  • Message-id: <3A2D6090.AD64E05B@xxxxxxxxxxxxxxxx>
Well,

I actually enjoyed the original response from John. He is taking the
effort to explain instead of complain. He also goes back to the core of
matters (ps and netstat are just that, lsof is not). He advises to use a
CD as a hash-key-reference and as such is making perfect sense. You
rather failed to explain the shortcoming of that approach. If you still
feel this is unsatisfactorily we would very much appreciate the
rationale and the real-life, practical (command-line-options-and-all)
alternative to the one proposed.

Kurt Seifried wrote:
>
> > The message just indicates that netstat can't determine the name of the
> > process - you are probably fine.
> >
> > Try cross checking the output of
> > "ps axfu" as root
> > with the output of
> > "netstat -ap", also as root
>
> Or just run lsof and look for the connections =).
>
> > netstat will (or should) give you the PIDs even when it can't identify
> > the
> > process by name. "ps axfu" will give you a list of running processes
> > (by name and PID). You can then check the PIDs that netstat can't
> > identify with the list that ps prints out.
> >
> > To verify an installed package against a RPM, use:
> >
> > rpm -Vp packagename.rpm
>
> This of course is trivial for an attacker to circumvent, the RPM database is
> not really protected at all.
>
> > execute this from the directory the rpm package is in (i.e. from
> > /cdrom/suse/a1 or whatever). If nothing is printed out, this
> > indicates that everything is ok.
>
> Ok that's a little better but still an attacker can beat it (replace the rpm
> binary for example).
>
> > Burning updated packages onto CD-R discs is a Really Good Idea. If you
> > do this, you have some assurance that the rpm package you are using to
> > verify the installed files has not been altered.
>
> This is why the packages should all by GnuPG signed. Then as long as no-one
> tampers with the rpm binary or root's keyring you can keep the binaries at
> ftp.badcrackerz.org and still easily verify that they haven't been modified.

< Previous Next >