online cheksum verification for FreeBSD
Elmar Stellnberger
I believe it would be highly desireable to have an online md5sum
verification for FreeBSD as this is already implemented by checkroot
(http://www.elstel.com/checkroot/) for openSUSE. This is often the only
way to spot an intrusion. Keeping external md5sum lists is very tedious
and error prone as soon as you want to apply updates. You need to fully
verify your system before every single update because otherwise you may
store the checksums of files that have already been altered by
intruders. Forgetting this once makes any further checks useless i.e.
you would have to install from scratch.
Does anyone know whether a similar tool could be implemented for FreeBSD?
The only thing that I have found about it is:
"DS Compare the system against a "known good" index of the installed
release.'"
However this known good index would need to be stored on a FreeBSD
server because everything that is stored locally can be altered by an
intruder. In the case of openSUSE it is sufficient to download the
package headers of all installed packages because they contain the
md5sums of the files that are installed. Keeping md5sum lists on a
server would be an alternative solution as proposed in
https://features.opensuse.org/306508.
For those of us who are building their own ports something like the
openSUSE build service for FreeBSD
(https://features.opensuse.org/308617) could leverage the usage of such
a security tool for all packages although checking the core packages
will be most important so far in order to detect rootkits (which are not
publicly known so far).
Best Regards,
Elmar
P.S.: Please do also send responses to my email as I am not subscribed yet.
Elmar Stellnberger
>> The only thing that I have found about it is:
>> "DS Compare the system against a "known good" index of the installed
>> release.'"
>
> mtree(8) - which can be used to generate and check file hashes. Other
> tools, such as tripwire, are available in the ports tree.
>
As far as I am informed freebsd generates the checksums right after
installation. However this is absolutely useless for a tool like
checkroot that aims at an online checksum verification.
> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elm...@gmail.com>
wrote:
>> I believe it would be highly desireable to have an online md5sum
>> verification for FreeBSD as this is already implemented by checkroot
>> (http://www.elstel.com/checkroot/) for openSUSE.
>
> You are welcome to adapt your tool to support FreeBSD and have it
> included in the ports system.
Could anyone help me in how to obtain online cheksums (md5 or better
sha1) for the files of every installed package?
>
> That said, it's unclear that your tool offers any benefits over
> the freebsd-update(8) tool that is part of the FreeBSD base system.
>
You seem to be really ignorant about the issues I have pointed out about
online/offline cheksums:
* offline cheksums require some security tool having been installed in
advance.
Most users simply don`t have tripwire or sth. else installed but are
nonetheless
possible targets for crackers.
* offline cheksums are very tedious to maintain:
They require a full system verification in advance to any new update
being followed
by a new checksum backup
If you just forget that once you can throw your system away.
Now do also think about applying a single update or about updating
regularely
which should be recommended for reasons of security.
> Note that an
> intruder could equally easily modify the checkroot executable unless
> it is also stored on read-only media.
Yes I have clearly pointed this out on my web site. The tool will of
course not be useful as long as it is not invoked fromout of a boot CD.
Concerning me I do always have a current boot CD handy - and be it just
for reinstalling the boot loader.
>
> I notice that your tool only appears to store MD5 hashes - I presume
> you are aware that the MD5 algorithm has been shown to have a number
> of weaknesses and is not recommended for new applications. This
> is why FreeBSD has moved to using a combination of MD5 and SHA256.
Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5)
for FreeBSD.
For openSUSE I had to use what has been available.
Peter Jeremy
>verification for FreeBSD as this is already implemented by checkroot
>(http://www.elstel.com/checkroot/) for openSUSE.
You are welcome to adapt your tool to support FreeBSD and have it
included in the ports system.
That said, it's unclear that your tool offers any benefits over
the freebsd-update(8) tool that is part of the FreeBSD base system.
>The only thing that I have found about it is:
>"DS Compare the system against a "known good" index of the installed
>release.'"
As well as freebsd-update(8), the FreeBSD base system includes
mtree(8) - which can be used to generate and check file hashes. Other
tools, such as tripwire, are available in the ports tree.
>However this known good index would need to be stored on a FreeBSD
>server because everything that is stored locally can be altered by an
>intruder.
This isn't completely true - the known good index could be stored on
read-only media - CD-ROM or write-protected floppy. Note that an
intruder could equally easily modify the checkroot executable unless
it is also stored on read-only media. (And even a statically linked
checkroot won't protect against a suborned kernel).
I notice that your tool only appears to store MD5 hashes - I presume
you are aware that the MD5 algorithm has been shown to have a number
of weaknesses and is not recommended for new applications. This
is why FreeBSD has moved to using a combination of MD5 and SHA256.
Also, your website mentions DSA is unsafe. Could you please provide
a reference for this claim as I am unaware of any results suggesting
that DSA is less secure than RSA.
--
Peter Jeremy
Daniel Roethlisberger
> > I notice that your tool only appears to store MD5 hashes - I presume
> > you are aware that the MD5 algorithm has been shown to have a number
> > of weaknesses and is not recommended for new applications. This
> > is why FreeBSD has moved to using a combination of MD5 and SHA256.
>
> Yes, we should use SHA-1 (or possibly a combination of SHA-1
> and MD5) for FreeBSD. For openSUSE I had to use what has been
> available.
SHA-1 is not recommended for new applications either. You should
probably use SHA-256.
Peter Jeremy <peter...@acm.org> 2010-03-10:
> Also, your website mentions DSA is unsafe. Could you please
> provide a reference for this claim as I am unaware of any
> results suggesting that DSA is less secure than RSA.
That claim might be based in the fact that original DSS limited
DSA key size to 1024 bits. Since 2k and 3k DSA is available
these days, the claim that DSA is unsafe seems outdated.
--
Daniel Roethlisberger
http://daniel.roe.ch/
Julian Elischer
> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
all that is not to say it's a bad idea, just that people
are interested to see what the advantages are etc.
Elmar Stellnberger
to be good.
However ranting without giving reasons would really have been amiss.
Those of us who want to crack into the systems of innocent users will
of course not welcome the tool because it gives them a viable way to defend.
To me there is simply no alternative to an online cheksum verification
due to its clear advantages.
It is a crucial issue which needs to get resolved before I start to
deploy FreeBSD on my production systems and before I may decide to
engage further in the development of FreeBSD (kernel, fs, power saving).
I have received some valueable input from the openSUSE community
beforehand implementing the checkroot tool for this OS. Can anyone in
here help me or should I go on to ask on a mailing list that is better
suited to package management issues (which one to choose? -
freebsd-hackers?).
Roger Marquis
> I believe it would be highly desireable to have an online md5sum
> verification for FreeBSD as this is already implemented by checkroot
This is not difficult to do on a per-host basis using integrit, cron and
optionally md5 with mail, ftp or scp.
> (http://www.elstel.com/checkroot/) for openSUSE. This is often the only
> way to spot an intrusion.
Unlike SuSE and Solaris, FreeBSD is most often compiled on the local
host. Wouldn't that make global checksums relatively useless?
Roger Marquis
Micheas Herman
The second most common way I have seen packages installed is off
of one's own build server.
With the "official" packages, being used by people new to
FreeBSD.
The thing that makes people love FreeBSD is that the source that
compiled your program is right there and easy to get up to speed
on to change things, with the Make files providing a lot of
usually helpful hints.
personally, a tripwire that was friendlier to website admins
would be really nice.
Which this somewhat tries to be, but it fails in the sense that
it does not deal with /etc/make.conf
This might actually be a reasonable business model, free if you
are using debian/centos/opensuse/"official" FreeBSD packages,
and a small annual fee to host your own checksums.
I have about 2% of my debian packages that would fail checksums
because I modified the source before compiling them.
To make your problem worse when you leave the confines of
opensuse, there is a debian utility called apt-build that
fetches the pkg source and builds it and installs the deb much
like freeBSD ports.
You are going to have similar problems with Gentoo.
binaries compiled -O vs -O2 produce different binaries, in the
x86 world, you can make a binary compatible with processor N and
higher, each of which produces a different checksum, for most,
but not all programs.
tripwire has clearly not progressed very quickly, and is not
used as much as it probably should be.
Also, the FreeBSD group tends to be pretty merciless in pointing
out when you make a mistake, (I made several with vinum).
Don't be discouraged, but the problem is bigger than Elmar seems
to have been assuming, but that is what make life fun, right?
Micheas
> Roger Marquis
>
> _______________________________________________
> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
--
Habit is habit, and not to be flung out of the window by any man, but coaxed
down-stairs a step at a time.
-- Mark Twain, "Pudd'nhead Wilson's Calendar
Elmar Stellnberger
> rodando nos 2 servidores!!!
>
Could anyone help me in how to obtain online cheksums for FreeBSD?
Then it should be no problem to port checkroot. I have received some
valueable input from the openSUSE community in this regard before
venturing the current implementation. Where do we have people who
are familiar with the package management of FreeBSD?
Micheas Herman
> Giancarlo Rubio schrieb:
> > rodando nos 2 servidores!!!
> >
> Could anyone help me in how to obtain online cheksums for FreeBSD?
Um, most FreeBSD users compile from source with a
custom /etc/make.conf file.
There online pkgs, but I don't know of anyone that commonly uses
them. I know people uses them for openoffice and a few of the
things that take a long time to download, but not commonly.
You can download the packages from:
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/
and run pkg_check You might be able to extract the signature
from the package.
The packages themselves are signed. There is no separate
signature file. /etc/ssl/pkg.crt is the location of the public
key for the packages.
Basically, there are no online checksums for FreeBSD.
http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=pkg_sign
might help you.
Personally I don't bother to sign my packages because I never
install them on more the four machines and never more than a few
hours after the package was built.
If I had more FreeBSD machines to deal with, I might sign my
packages just as a best practice, but I doubt it would really do
any good, except that the machines would only accept packages
from the build server, and not upstream with out squawking.
I hope this points you in a helpful way.
Micheas
> Then it should be no problem to port checkroot. I have received some
> valueable input from the openSUSE community in this regard before
> venturing the current implementation. Where do we have people who
> are familiar with the package management of FreeBSD?
>
> _______________________________________________
> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
--
I was gratified to be able to answer promptly, and I did. I said I didn't know.
-- Mark Twain