Is there an easy way to boot a Debian-based Linux system from a read-only medium (say a Live Linux read-only DVD) and then use Debian's .deb checksums / signatures (?) to verify that the files installed do indeed come from properly signed Debian packages?
In other words: is it possible to boot a system from a known clean Live CD and then use Debian's package format as a "poor man's intrusion detection system"?
If so, how should I go about it?
The command debsum would seem to be what you're looking for.
$ debsums | head -10
/usr/lib/libaccount-plugin-1.0/providers/libaim.so OK
/usr/share/accounts/providers/aim.provider OK
/usr/share/accounts/services/aim-im.service OK
/usr/share/doc/account-plugin-aim/copyright OK
/usr/lib/libaccount-plugin-1.0/providers/libfacebook.so OK
/usr/share/accounts/providers/facebook.provider OK
/usr/share/accounts/services/facebook-im.service OK
/usr/share/accounts/services/facebook-microblog.service OK
/usr/share/accounts/services/facebook-sharing.service OK
/usr/share/doc/account-plugin-facebook/changelog.Debian.gz OK
However I would NOT view this as a poor mans intrusion detection system. I would use something like Tripwire or OSSEC if you're really serious about doing something like this. Relying on any these types of capabilities isn't really what they were intended to do. Rather these are more to confirm that no intentional changes were made to the system, which have now resulted in the files being out of sync.
A would-be hacker could easily "play games" and change the database that the files' checksums are checked against whether it's locally stored or online somewhere.
True intrusion detection would require that the database of checksums be kept off line and only brought into the mix when a check wanted to be performed, and it would be brought in, in a readonly mode only!
