Re: veriexec mishap after system update

[Brett Lymn <blymn%baesystems.com.au@localhost>]

On Wed, Aug 05, 2009 at 01:49:46AM +0300, Stathis Kamperis wrote:
> 
> After a system upgrade, I forgot (although I usually do) to re-run
> veriexecgen and I ended up with an unusable system. During boot, some
> binaries, which were updated, generated hash mismatches (reasonable)
> and I couldn't even login. I had to hard reset the system, boot up
> single user mode, fsck my partitions, edit rc.conf to not load
> veriexec, reboot, regenerate the hashes and enable it again in
> rc.conf.
> 

Well, at least you know it is effective ;) (you have to allow me a bit
of humour here... I cannot count the number of times some bug or other
caused me the same sort of grief when I was developing veriexec)

> It is doable, it's just inconvenient. I think it should be documented
> or perhaps be automated in some way.
> 

Documented, yes, automated no.  I strongly believe that this sort of
security enforement needs to be thought about when updating.

I think another bullet point in the "things to remember" section would
probably be a good approach.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."