online cheksum verification for FreeBSD I believe it would be highly desireable to have an online md5sum verification for FreeBSD as this is already implemented by checkroot (http://www.elstel.com/checkroot/) for openSUSE. This is often the only way to spot an intrusion. Keeping external md5sum lists is very tedious and error prone as soon as you want to apply updates. You need to fully verify your system before every single update because otherwise you may store the checksums of files that have already been altered by intruders. Forgetting this once makes any further checks useless i.e. you would have to install from scratch. Does anyone know whether a similar tool could be implemented for FreeBSD? The only thing that I have found about it is: "DS Compare the system against a "known good" index of the installed release.'" However this known good index would need to be stored on a FreeBSD server because everything that is stored locally can be altered by an intruder. In the case of openSUSE it is sufficient to download the package headers of all installed packages because they contain the md5sums of the files that are installed. Keeping md5sum lists on a server would be an alternative solution as proposed in https://features.opensuse.org/306508. For those of us who are building their own ports something like the openSUSE build service for FreeBSD (https://features.opensuse.org/308617) could leverage the usage of such a security tool for all packages although checking the core packages will be most important so far in order to detect rootkits (which are not publicly known so far). Best Regards, Elmar P.S.: Please do also send responses to my email as I am not subscribed yet.
>> The only thing that I have found about it is: >> "DS Compare the system against a "known good" index of the installed >> release.'" > > As well as freebsd-update(8), the FreeBSD base system includes > mtree(8) - which can be used to generate and check file hashes. Other > tools, such as tripwire, are available in the ports tree. >As far as I am informed freebsd generates the checksums right after installation. However this is absolutely useless for a tool like checkroot that aims at an online checksum verification.> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel@gmail.com>wrote:>> I believe it would be highly desireable to have an online md5sum >> verification for FreeBSD as this is already implemented by checkroot >> (http://www.elstel.com/checkroot/) for openSUSE. > > You are welcome to adapt your tool to support FreeBSD and have it > included in the ports system.Could anyone help me in how to obtain online cheksums (md5 or better sha1) for the files of every installed package?> > That said, it's unclear that your tool offers any benefits over > the freebsd-update(8) tool that is part of the FreeBSD base system. >You seem to be really ignorant about the issues I have pointed out about online/offline cheksums: * offline cheksums require some security tool having been installed in advance. Most users simply don`t have tripwire or sth. else installed but are nonetheless possible targets for crackers. * offline cheksums are very tedious to maintain: They require a full system verification in advance to any new update being followed by a new checksum backup If you just forget that once you can throw your system away. Now do also think about applying a single update or about updating regularely which should be recommended for reasons of security.> Note that an > intruder could equally easily modify the checkroot executable unless > it is also stored on read-only media.Yes I have clearly pointed this out on my web site. The tool will of course not be useful as long as it is not invoked fromout of a boot CD. Concerning me I do always have a current boot CD handy - and be it just for reinstalling the boot loader.> > I notice that your tool only appears to store MD5 hashes - I presume > you are aware that the MD5 algorithm has been shown to have a number > of weaknesses and is not recommended for new applications. This > is why FreeBSD has moved to using a combination of MD5 and SHA256.Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) for FreeBSD. For openSUSE I had to use what has been available.
On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel@gmail.com> wrote:> I believe it would be highly desireable to have an online md5sum >verification for FreeBSD as this is already implemented by checkroot >(http://www.elstel.com/checkroot/) for openSUSE.You are welcome to adapt your tool to support FreeBSD and have it included in the ports system. That said, it's unclear that your tool offers any benefits over the freebsd-update(8) tool that is part of the FreeBSD base system.>The only thing that I have found about it is: >"DS Compare the system against a "known good" index of the installed >release.'"As well as freebsd-update(8), the FreeBSD base system includes mtree(8) - which can be used to generate and check file hashes. Other tools, such as tripwire, are available in the ports tree.>However this known good index would need to be stored on a FreeBSD >server because everything that is stored locally can be altered by an >intruder.This isn't completely true - the known good index could be stored on read-only media - CD-ROM or write-protected floppy. Note that an intruder could equally easily modify the checkroot executable unless it is also stored on read-only media. (And even a statically linked checkroot won't protect against a suborned kernel). I notice that your tool only appears to store MD5 hashes - I presume you are aware that the MD5 algorithm has been shown to have a number of weaknesses and is not recommended for new applications. This is why FreeBSD has moved to using a combination of MD5 and SHA256. Also, your website mentions DSA is unsafe. Could you please provide a reference for this claim as I am unaware of any results suggesting that DSA is less secure than RSA. -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100310/d1d2e40a/attachment.pgp
Elmar Stellnberger wrote:> I believe it would be highly desireable to have an online md5sum > verification for FreeBSD as this is already implemented by checkrootThis is not difficult to do on a per-host basis using integrit, cron and optionally md5 with mail, ftp or scp.> (http://www.elstel.com/checkroot/) for openSUSE. This is often the only > way to spot an intrusion.Unlike SuSE and Solaris, FreeBSD is most often compiled on the local host. Wouldn't that make global checksums relatively useless? Roger Marquis
Giancarlo Rubio schrieb:> rodando nos 2 servidores!!! >Could anyone help me in how to obtain online cheksums for FreeBSD? Then it should be no problem to port checkroot. I have received some valueable input from the openSUSE community in this regard before venturing the current implementation. Where do we have people who are familiar with the package management of FreeBSD?
Unfortunately pkg_check&sign do not seem to exist any more: from 8.0 relnotes: "The pkg_sign and pkg_check utilities for cryptographically signing FreeBSD packages have been removed. They were only useful for packages compressed using gzip(1); however bzip2(1) compression has been the norm for some time now. Besides this I would need pkg_sign to take the checksums from the respective .tbz instead of the local file system. " For sha1, it checksums the file and verifies that the result matches the list of checksums recorded in /var/db/pkg/SHA1." Moreover I would need a script that just downloads the package headers; not the whole packages because otherwise the check procedure would last aeons. I thought there was a version of bzip2 that did signing/encrypting but guess not ... in any case it is not what freebsd uses That way it seemes to me as the easiest viable way to simply provide external checksum lists as the package management depeers a proper checksum handling. Such lists do already exist for Windows and OSX. That way we would not even need a new tool; just checksum lists the user can verify himself. For Linux on the other hand cheksums are provided by the package headers so that we do not need separate checksum lists. > > You can download the packages from: > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/ > > and run pkg_check You might be able to extract the signature > from the package. > > The packages themselves are signed. There is no separate > signature file. /etc/ssl/pkg.crt is the location of the public > key for the packages. > P.S.: Sorry for my late reply I must have overlloked your message as I have not been subscribed to freebsd-security.