Known-Good MD5 Database 309
bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."
Yes, in fact, I have! (Score:4, Funny)
Re:Yes, in fact, I have! (Score:5, Interesting)
[ This is a story about why getting "good" checksums to start with is very important. ]
On a related topic: Ever examined a system you didn't think was broken into, and were sure?
The sysadmins at my old school did. And they were wrong.
You see, they connected a new box, the replacement main server, to the LAN, and used an easily-guessable password convention for staff accounts, PRIOR TO RUNNING TRIPWIRE on it. Seems "someone" got in and changed a few key binaries, THEN the admins ran Tripwire. Periodically, when the system got munged and a restore was required, they'd restore the original tapes, Tripwire would yell about a few binaries (including some innocuous distractors), and the admins would dutifully go to backups, find the modified binaries and restore them, figuring they had to be right, because of course, they matched the Tripwire signatures.
Ya gotta love self-repairing back doors when you're a student at the mercy of admins who work 9-5 M-F, NFS and lpd subsystems that croak only after 10pm or on weekends, and newbies who fill up file systems.
The local 3-person student root cabal used these back doors for several years, until the machine was replaced. AFAIK, the admins never knew. They had spent much of my undergrad time trying to find SOMETHING I'd done, to punish me for, so if they'd known about this...
What about source builds? (Score:5, Insightful)
Re:What about source builds? (Score:2)
Re:What about source builds? (Score:5, Insightful)
Indeed; the capability of such a system is a bit limited with operating systems like FreeBSD, which actively *encourage* their users to build/rebuild from sources. IIRC, FreeBSD actually only gives intermediate security updates in source code format so you have to compile them (not too hard: cd /usr/src ; make buildworld).
So, recording the checksum to /bin/ls, etc. is a bit flawed in that when I do a "make buildworld", my custom configuration parameters from /etc/make.conf get used, overriding CPU type, if Xfree86 is installed, etc. Since my system's parameters likely will not match FreeBSD's master build system, there is a high chance that the checksums after I do a rebuild are significantly different.
But for non-source distributions (Redhat, etc.) this concept is excellent, assuming that no one compromises the database or the OS kernel. Unfortunately, no database checksummer will ever counteract the case when the OS kernel itself is compromised, potentially returning one file when scanned and another when executed.
Still, it wouldn't hurt for them to record source file checksums as well; after all, having an independant checksumming group would require them to be compromised as well as the FTP network, making an attacker's life harder.
Re:What about source builds? (Score:4, Insightful)
In fact, this system would be best suited for systems which aren't OSS... such as windows =)
crowd boos... stones and rotten tomatoes fly as author runs for cover
Re:What about source builds? (Score:3, Interesting)
Re:What about source builds? (Score:4, Informative)
It *is* checked for *some* critical system images however... I know for sure that some files in /system32 (so called 'KnownDlls') are among this list.
Note though, that this checksum is to prevent accidental data corruption and not maintain system security integrity; since the checksum field is actually in the file itself, it can be updated after a virus/haxxor has patched the target file.
Re:What about source builds? (Score:2)
There are some significant problems with their database however:
1. It's huge. They have a single giant flat file with SHA-1, MD5, MD4, and CRC-32 values. Right now the file, when uncompressed, is over 1GB.
2.Over 42% of the entries are duplicates. I found this out by running sort -Uf on it.
3. Many of the files were hashed before installation. The MD5s for these files often change the installation process.
Re:What about source builds? (Score:2)
Re:What about source builds? (Score:3, Insightful)
Re:What about source builds? (Score:3, Insightful)
Because the default /bin/ls is lowest common denominator. As for a waste of time...
I can afford the 1.59 seconds.
sh
Re:What about source builds? (Score:2, Interesting)
307: if (f_sortacross)
308: base = 0;
309: for (row = 0; row < numrows; ++row) {
310: endcol = colwidth;
311: if (!f_sortacross)
312: base = row;
It is obvious how a compiler may think base could be used uninitialised, but clearly it never is.
sh
Re:What about source builds? (Score:2, Interesting)
You've only proven my point, by thinking exactly what the compiler has. However, if you follow the code up (it's a bit spaghetti-like, computing the number of columns and stuff) you will see that numrows cannot be zero.
sh
Re:What about source builds? (Score:3, Insightful)
Re:What about source builds? (Score:5, Informative)
Sheesh, dosen't anyone read old ACM articles?
http://www.acm.org/classics/sep95/
At some point, unless you build your system from scratch, cross compile on multiple systems, burn your own BIOS ROM, and write the microcode for your NIC and all other interface devices, you are trusting *SOMEONE ELSE* for the security of your system.
Re:What about source builds? (Score:2)
Even worse, if you use, say, FreeBSD, and you build from some cvs tag other than RELENG_4_7_RELEASE or so (I use RELENG_4), chances are you've got quite a few small deltas dotted around the system -- something like this would need to track md5 changes of not just releases, but of the -STABLE branch (at every commit) to be useful to me -- and you've still got the security branches (RELENG_4_[1-7]) to worry about.
It's hard, even without getting into handling the various differences compiling can introduce -- compilation date timestamps, alternate build options, etc.
Re:Furthermore, (Score:3, Funny)
Re:Furthermore, (Score:2)
Homer : "I dunno. Coast Guard?"
-dk
What?! No Windows? (Score:2, Insightful)
Re:What?! No Windows? (Score:2)
Re:What?! No Windows? (Score:3, Interesting)
Don't worry, you'll have that soon. It's called Palladium.
As my grandmother used to say: "Be careful about what you wish for, because your wishes might come true". Wise woman.
So what about the obvious scenario... (Score:2, Insightful)
Re:So what about the obvious scenario... (Score:2)
Re:So what about the obvious scenario... (Score:2, Interesting)
What if someone hacked into the MD5 database and changed the entries?
This is definately a legitimate concern. I would be wary about this.
There is one possibility however. Even if the entries are changed maliciously, the MD5 sums might possibly be different from the rootkit that is installed. IIRC rootkits are compiled on the host machine, and this might change the MD5 sums for the rootkit. Also, there are different sources of rootkits, so that would also affect the MD5 sums and the feasibility of changing the entries.
neurostarRe:So what about the obvious scenario... (Score:4, Insightful)
This is one of those things... (Score:3, Insightful)
Absolutely fabulous, wonderful! The real trick, though, is to build up trust in your database so that those searching it will be sure that the checksums are actually correct--you know, rather than buying a burglar alarm from the robber himself. Thus, I doubt you'd be able to take submissions from users right away--at least without a competent staff checking to make sure they're correct.
Re:This is one of those things... (Score:3, Informative)
It WAS done sooner. Sun have a fingerprints
database for Solaris binaries.
Cool? (Score:2, Interesting)
ooooo nifty (Score:5, Insightful)
[devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]
Yah, yah, I know, the easiest way is to inspect the source for the minicompiler, the main compiler, and the program by hand, then build all of them step-by-step until you're done, then use the final binary to generate your hash. I wonder, tho, how much drift might there be in using a pre-built compiler (say I D/Led the binaries for GCC and the libraries to go with it). One tiny change in machine state (or any other number of things I would suppose) could result in the final binary being a single byte off, and the whole thing's a wash.
Granted, I may be talking out of my ass here, could someone w/ some hard-core coding knowledge or CS experience expound on the above?
Re:ooooo nifty (Score:2)
What about Windows OS? (Score:5, Insightful)
Considering its history of vulnerabilities, I'd think that this would be pretty important...
Re:What about Windows OS? (Score:3, Insightful)
You can't compile a explorer.exe with a nice back door added in unless you've got the source to explorer.exe.
Of course you can - it is trivial to alter the behaviour of a Windows executable; viruses do it all the time.
Append the backdoor to explorer.exe, fiddle with afew bits so the backdoor gets executed first, and find a way to drop it onto the system.
Re:What about Windows OS? (Score:2)
I thought it would work much the same way: you'd compare the DB hash with the actual hash of the file to determine its integrity (without regard to its source code).
How does this not affect Windows?
Re:What about Windows OS? (Score:2)
First, rename explorer.exe to something else. Next, create a new explorer.exe which executes whatever you want it to, and then have it execute the old explorer.exe so it behaves as normal. Transparent to most users.
Re:What about Windows OS? (Score:4, Insightful)
Also, can't people still use disassemblers to 'crack' files, and maybe add backdoors at the same time?
Both of these activities would be reflected by checksum changes.
Re:What about Windows OS? (Score:2)
Re:What about Windows OS? (Score:2)
Besides, I really don't see the problem - even with all the patches available via Windows Update, there is still a fairly small number of possible md5sum values for each file. It wouldn't take long at all to compare the computed value with each of the known good ones, only flagging a warning if they all fail to match.
Compromised /bin/md5 (Score:5, Informative)
What they don't say and what a lot of security folks forget to do is that they can't check your checksums of binaries on the same box. You need to copy the files to another box and check the checksums there with a known good version of your checksumming binary. The local version of your checksumming binary could have been compromised.
Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.
Re:Compromised /bin/md5 (Score:3, Insightful)
Other replies have mentioned that it might make more sense to boot off known clean read-only media, on which you also have a copy of your checksum utility.
That said, this still provides a false sense of security. The only way to be absolutely certain that your binaries have not been compromised is the following technique:
Have all your code written by hermit programmers. They must develop their OS and all programming tools (compilers, etc.) by themselves, on a computer that has no connection to the outside world. Taking an OS from another hermit programmer is also acceptable, as long as it is conveyed by hand from one to the other.
You must know and trust all of the hermit programmers.
The hermits must live, eat, and sleep in giant vaults designed to provide physical security to them and their computers. They definitely will not have telephones.
They must develop applications from scratch--no outside data may be allowed to contaminate their pristine systems. Source code may be imported, as long as it is delivered in hard copy form and hand keyed by someone who is very security conscious.
The hermits must hand deliver the binaries of applications to you. You should have already received a copy of their pristine OS by this method.
Presto! Completely secure binaries. No trojans. No false sense of security.
Oh, unless someone finds a buffer overrun that your hermits missed. Then some kiddie will own your box. Damn.
Re:Compromised /bin/md5 (Score:3, Funny)
You'd have to have sterile hermits manufacturing CDs out of their own feces and urine (sterile) and burning code on them with laser pointers manufactured from the same source with machines made out of (you guessed it!) poop and piss.
Now you know why I hate those filthy asshole hermits.
Re:Compromised /bin/md5 (Score:2)
Re:Compromised /bin/md5 (Score:2, Funny)
Then I must be an above average programmer since I have more than one bug every seven lines!
"False" senses of security (Score:5, Insightful)
The reality of the matter is that, while it certainly would be possible for somebody to gag a machine to evade all your wascally checksumming tricks, they frequently don't do so. And when they do it, there's the usual arms-race lag between the time when a new method of checking comes out and when they update their tools to evade it. And there's a cost to them for each defense they evade; if you want to avoid every defense you ever hear of, you basically have to roll your own rootkits, which is a huge time investment.
And a kiddie who's out there collecting hundreds of boxes has no particular incentive to be anal about holding onto yours.
Fucking pompous amateurs.
Re:"False" senses of security (Score:2, Insightful)
Re:"False" senses of security (Score:2, Insightful)
If you suspect a breakin, schedule a half-hour of downtime and boot from a trusted CD, like Knoppix or the live filesystem that comes with Slackware, and check your HD from there.
And if the BIOS is trojaned?
Re:"False" senses of security (Score:2)
No kidding. I still haven't even seen people updating the RPM md5sums, and you'd think that's something that rootkits would like to do.
Sure, if you know your system has been compromised, you want to take it down and do a check with known-safe binaries, kernel, etc. But in the real world you can't do that daily on a production box, so checksumming on a live box is a reasonable solution.
Re:"False" senses of security (Score:2)
(And no, Virginia, memory protection != invulnerable.)
Re:Compromised /bin/md5 (Score:2)
You're being ridiculously pedantic about the theoretical limits of security, yet you naiively trust tar/dd/cp/NFS to copy the files correctly? You trust the drive firmware? The machine's BIOS? The CPU?
Either take the security argument to its true limits, or realize that practical choices need to be made and be quiet.
Re:Compromised /bin/md5 (Score:2)
But how can the kernel be compromised by just d/ling a binary you ask?...Exactly, it can't, the same with md5. If someone has managed to compromise md5 on your machine, youve got more problems than not being able to verify d/ld files, your machine has already been rooted.
Re:Compromised /bin/md5 (Score:2)
Wouldn't that be the whole point to running a checksum scan on your system's binaries?
*scan* Oh good, everything's fine.
-OR-
The hell? I've been r3wt3d! d00d!
I don't think this is in reference to just verification of "d/ld" files, but a method for scanning your already existing system for problems.
The most secure thing I can think of to do would be have a server box (a nice high powered full-throttle beast, imagine a beowulf cluster of THESE) and a security check box (P3 166 with 64MB RAM/8GB HD is plenty). Have a cron-triggered script and a checksumming verification program on the security box which in the middle of the night, or even at random times whenever, will bring up eth0 on the security box, mount the server's disks over NFS, check them, and then bring down eth0 so as to isolate the security box. Such a thing would probably work better with a cluster of servers, say a load-balancing system of web servers, so that only one box out of the total whole had to be down at once and the rest could still be functioning, while the box being checked is isolated by a controlable router or something. Of course that's gotta be secure, too....ARG headache
Re:Compromised /bin/md5 (Score:2)
Re:Compromised /bin/md5 (Score:2)
And what makes you think you can trust uname, or anything the kernel tells you for that matter? Mwu-ha-ha-ha...
Polymorphic files (Score:5, Informative)
A few months ago I put together a list of the "polymorphic" files in FreeBSD 4.6:
These files are always going to set off alarms if you've upgraded-by-source. (On the other hand, if a file *not* on this list has a different checksum, it probably just means that you've applied a security patch.)
md5sum Binary Might Be Trojaned (Score:5, Informative)
Filtered as a "Hacking" site (Score:4, Interesting)
config files (Score:5, Funny)
Anyone who wants to make sure their important config files haven't been changed by an intruder can email them to me, and I'll hold on to them for safe keeping.
free service (Score:2)
Sounds like a good idea, but that's all you can get for free. I have limited space and resources -- I can only keep track of so many password files and IP addresses at a time at no cost.
Erpo's "Bronze Tier" security service is available for $10 per month, and for that modest fee you can have the privilege of running Erpo Inc.'s backdoord, "The most advanced intrusion detection software on the planet." (Note, UID 0 and internet access necessary for security functions to operate effectively.) For those willing to spend $50/month for a little more peace of mind, Erpo's "Silver Tier" plus package includes eight (count them, eight) bytes of space on my hard drive for a cleartext backup of your root password. Sometimes, however, that just isn't enough. For those that need the ultimate in security, Erpo Inc. offers the most comprehensive option available anywhere: the super duper "Gold Tier" uber-premium technoblaster package with cherries on top. Clients in this elite class of service have the extreme honor of keeping their servers on-site in a musty corner of my basement (T3 and battery backup provided by client, some restrictions may apply, void where prohibited). For only $100/month, I will personally look through all of your sensitive, private data to make sure it has not been compromised by an attacker. It doesn't get any better than this, folks. Sign up today at www.er....
What? Fraud? Don't be silly.
Re:don't forget the ip address (Score:3, Funny)
Hey man... (Score:2)
Relief (Score:3, Funny)
What about a more targeted approach? (Score:2)
I'm not saying NOT to do the rest of the files, just that these (I'd think) would be the files that you'd want to check FIRST before the rest of the system.
Perhaps a separate section featuring these targeted areas?
package mangement (Score:2)
likely only handle part of the
Something's wrong here (Score:5, Insightful)
The fancy way to do that is with an Authenticode-like system for signing files. Distro maintainers would sign the files in their distros, and users could also sign their own files. A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it. Or the list could contain individual signatures per file instead of just hashes.
A centralized md5 database doesn't feel so right with the free software spirit, which says (legitimate) users could modify the files at any time, or just recompile them with a slightly different compiler, etc.
Re:Something's wrong here (Score:3, Interesting)
Chicken-and-egg...
Re:Something's wrong here (Score:2)
Perhaps some sort of rating system?
Re:Something's wrong here (Score:3, Interesting)
Basically to be really careful, you have to do the checks offline, on a separate computer, i.e. not relying on executables running on a system that's been exposed to attackers.
This is the kind of thing that the Palladium hardware should be able to help with. What Microsoft wants to do with it is evil, but it's capable of being used for good purposes too.
Re:Something's wrong here (Score:3, Informative)
Note: this is exactly what tripwire already does. Except that it also stores other file attributes as well.
Re:Something's wrong here (Score:2)
Re:Something's wrong here (Score:3, Informative)
Debian / debsums (Score:5, Informative)
It does require a legit dpkg database (and md5sum, and the debsums program itself...) but it's a nice tool.
Problems with patched OSes / custom builds (Score:2, Interesting)
Are you running BIND, Apache, wu-ftpd, or (shudder) Sendmail? If you are, your system won't be entirely in their shiny dbase for more than a month (probably more like a week) after you install. And if _you_ don't update it, someone will be kind enough to "update" some file for you soon enough...
As a test, I checked
From the dbase:
RH 7.1 - MD5: ac0b58050deb21db1ed701277521320b
RH 7.3 - MD5: 6d3abf4efc9235e4eb5dc540d61d42fa
My systems:
#1 - MD5: ac0b58050deb21db1ed701277521320b
#2 - MD5: ac0b58050deb21db1ed701277521320b
#3 - MD5: 9724525265900e5f9020de3b431425b1
#4 - MD5: 881c7af31f6f447e29820fb73dc1dd9a
#5 - MD5: 6d3abf4efc9235e4eb5dc540d61d42fa
Binary compatibility is seen for systems 1, 2, and 5, but the RH7.2 system (#4) doesn't match. System #3 is a Gentoo system, which is probably the most secure, but also the least likely to ever match with their list. I guess that's the peril of compiling your own code.
Use BITZI too! (Score:3, Informative)
goal is to gather metadata for *every* file in the
universe, and keep the data free, supported by a
related business model (and a viable, sustainable
support mechanism is GOOD), but I support this
project too, because choice and freedom are goods.
Therefore, I urge everyone to submit metadata
to both projects.
If you only submit to one, however, please submit
to bitzi, because it provides an automation API,
and uses better hashes.
Note that I have no affiliation with the Bitzi company.
Another Resource (Score:5, Informative)
The complete list of software they've checksummed can be found here: Software Listing [nist.gov] or you can use their search engine if you're looking for a specific application here: Search Engine [nist.gov]
Needs more... (Score:2)
Well this gets so complicated that by the time you've thought it all out, you really need virus scanner technology to thwart root kits. Maybe a kernel patch could run a virus scan on executable files? It would be quite difficult to tamper with the actual running kernel in memory without causing the system to lock or reboot, thus giving away that the system is being tampered with. Assuming root kits are distributed in source form, you'll need heuristic scanning to find them. This means false positives and manual overides by the system administrator.
Combination solution. (Score:3, Interesting)
Compare the MD5sums of critical files to a recent known "snapshot" of the system on RO media, which only indexes files that were changed and reconciled. Perhaps there is a list of files of which only certain byte ranges (perhaps just executable ELF sections) are checked, are some are omitted. (Other slashdotters mention caches/timestamps in certain relevant files that screw up checksums). You would have a whitelist (files which must match), then a graylist (files which meet byte-range criteria), and perhaps even a blacklist that prevents files that would normally be flagged to be ignored.
In checking full file checksums, those not explicitly listed above would fallback to a check using a HTTP get request conforming to this helpful document [knowngoods.org] these guys have offered.
And to those who were asking about other distributions: they are looking for people willing to work with them to add new distros/architectures to their database.
Bleah (Score:4, Informative)
Excellent! (Score:4, Interesting)
Now I can add a compromised md5sum to my rootkit which uses values from this site.
Go team!
Er, rpm -V? (Score:5, Informative)
From the man page for rpm:
The general form of an rpm verify command is
rpm {-V|--verify} [select-options] [--nodeps] [--nofiles] [--nomd5] [--noscripts]
Verifying a package compares information about the installed files in the package with
information about the files taken from the package metadata stored in the rpm database. Among other things, verifying compares the size, MD5 sum, permissions, type, owner and group of each file. Any discrepencies are displayed.
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
So while that's a bit cryptic, a shell script run once every x days (30? 14?) should tell you what files have changed. All you would have to do is run rpm -qa to grab a list of the packages in your system, and then loop through the list and run rpm -V for each RPM returned.
For instance, running rpm -V on two common packages, Apache and PHP, shows me the following:
# rpm -V php
S.5....T c
(php.ini has changed... which in this case means I've tweaked some of PHP's default settings.)
# rpm -V apache
S.5....T c
missing
missing
(Okay, I've changed httpd.conf, again pretty much a given, and I've removed a couple of the default files.)
I guess this website seems pretty unneeded to me. Granted, the above is just for RPM-based systems, but I'm sure Debian and ports have similar options. And to the people who have installed from source and say "What about me?", I say, first, never underestimate the power of a package management system, and second, check out CheckInstall [asic-linux.com.mx], which allows you to create an RPM or DEB just by saying "checkinstall" instead of "make install". If you feel you must compile from source, checkinstall is a necessity! Using checkinstall gives you all the benefits of a package management system while still allowing for the flexibility that compiling from source provides.
Between checkinstall and up2date, I'm a very happy Red Hat customer. I just wish more people knew about some of the truly powerful things in package management systems (such as the verify command detailed above.) Package management systems are there for a reason. Use them!
Re:Er, rpm -V? (Score:3, Insightful)
Re:Er, rpm -V? (Score:3, Informative)
For those who pointed out that the RPM database is a local database, remember, you can get those MD5 hashes from 2 other sources:
Of course, using the web site is going to be a lot more labor intensive, but it is available. Writing a script to compare hashes computed using RPMs from the CD image and comparing them to your installed binaries should be a piece of cake (using the --dump option to -ql).
Prebinding on OS X breaks checksums (Score:2, Interesting)
I'm not familiar with the Mach-O file format, but I'd guess that the changes are confined to a small part of the file. But if you could just checksum the code sections, that might work.
On the other hand, talking about libraries makes me think. Don't forget to check the libraries. If I trojan libc, I'll be getting all kinds of control while leaving the program binaries unmodified.
rlwimi
how does this work? (Score:5, Funny)
$ md5
d41d8cd98f00b204e9800998ecf8427e
So I put d41d8cd98f00b204e9800998ecf8427e in the search engine and it came up with 560 hits (compared with 3170 from google).
Now it appears that someone replaced my
Does the database have a way to flag files as being bad? Sa
When I put in 3ac9bc346d736b4a51d676faa2a08a57
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****
One thing that could make this useful would be a dns like interface...
host 3ac9bc346d736b4a51d676faa2a08a57.knowngoods.org || echo bad
Re:how does this work? (Score:2)
I should get back:
*** Trojaned openssh-3.4p1.tar.gz ****
How the bloody hell will it know that? Just changing a couple of bytes in a file will completely change the checksum. There's no way of telling what the file _should_ be from the checksum.
Solaris Fingerprint Database (Score:5, Informative)
http://sunsolve.Sun.COM/pub-cgi/fileFingerprint
It contains information for:
Operating Systems
Solaris SPARC - 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris x86 - 2.1, 2.4, 2.5, 2.5.1, 2.6, Solaris 7 and Solaris 8
Solaris PPC - 2.5.1
Trusted Solaris SPARC - 2.5, 2.5.1 and 7
Trusted Solaris 7 x86
Most CDs bundled with Solaris 2.6 and later.
Patches
Nearly all released Solaris patches, including all SunSolve CDs to date. (4.0.11)
All Solaris 2.6/7 Maintenance updates.
All patches available from SunSolve.
Unbundled Products
Around 150 CDs with unbundled products are included. If you are missing any particular product, please feel free to send email and we will try to include it as soon as possible.
This is what MACs are for... (Score:2)
This would allow for protection of files not in an online database (compiled from source, for example) using only local files.
You can use a block cipher chaining mode (don't remember which one) as a MAC, or use say AES_k(MD5(file)), or, IIRC you can use MD5(k_1 file k_2) where k_1 and k_2 are different secret keys (check this out before using, lots of constructions like this are totally insecure), or you can use something designed as a MAC (eg RIPEMD). Any of these could be run from a shell script to quickly verify all binaries (or whatever you were protecting).
Personally.. (Score:3, Interesting)
What about AIDE? (Score:4, Interesting)
In additon to being a proper Open Source project, it allows for features that (last I heard at any rate) tripwire doesn't support, like a centralized checksum DB. That feature alone makes the tool superior (IMHO). For example it makes the verification process a lot nicer (intruder can't courrpt the local md5sum's because there aren't any).
Versions? (Score:4, Insightful)
Then I can't imagine how you would be able to automate this, so it checks all the binaries in
Doesn't seem overly useful to me....
Source distros! (Score:3, Insightful)
Nor to me, for a different reason: what about those of us with CFLAGS= set to various strange funky optimizations in Gentoo? What about the Ports system in FreeBSD, similarly?
This thing does not have the potential to spread to all distributions or all unixen.
What about historical storage? Are they really proposing to store an md5sum for
Seems mad to me. Would be better off staying with AIDE instead, IMO.
Straightforward solution (Score:4, Interesting)
On top of this I stuck in one small bit of shell script that allowed me to modify a file myself without setting off alarms - it simply recalculated the md5 value and updated the record files.
I suppose this is theoretically vulnerable to an attacker reading through
The nice thing about this code is that it also implicitly tests for corruption of critical files after fsck-triggering events like kernel panics or total power failures. (That's actually what prompted its initial writing) And it's remarkably trivial to implement, even more so if one simply copies an off-the-shelf md5 binary rather than compiling one's own wrapper.
How they check sum script files? (Score:2)
These files can contain trojan too, and most "modern" trojans are written in some interpreted script, not in C. How about detecting this?
No OpenBSD Yet (Score:2)
Re:One other thing... (Score:2)
Re:Useless for RPM-Based Distribuitons (Score:4, Interesting)
I'd also mention that it appears to be useless for BSD or Gentoo-like systems as well. BSD because it's built form source and the fingerprints won't always match, and Gentoo because there's already something like this built directly into the system, at least for verifying source tarballs.
Gentoo checks the md5sum of each tarball against another file containg the known value every time it installs something. The md5sums and the sources are obtained from different servers, so a lot of the risk of trojans is removed. Granted, this doesn't do continuous monitoring like this does, but it helps ensure you don't install something bad. The biggest worry now with this system could be vulnerable if several mirrors are hacked. They're working to replace it with a private-key signed system, which is much better than and md5 based system. The reason being that, that you can verify _who_ created the checksum in addition to that the checksum matches the file.
So, I'm not sure what the real benefit of this system is. It seems to be duplicating a lot of features that really should be built into the package manager ideally. Maybe someday we'll have package managers that actually watch their packages in realtime w/ strong crypto to make sure things are still good. That would be very cool.
Re:But what happens... (Score:4, Insightful)
Then your compromised system might apear to be clean. I have actually seen a system where that has happened. But the intruder forgot to trojan the rpm executable, "rpm -Va" revealed everything. But had the intruder trojaned the rpm executable too, that wouldn't have worked. The only secure way to use the verification tool is to boot from a readonly media and run the tool from there.
Re:But what happens... (Score:2)
This would be a useful feature addition to the rescue mode of boot CDs.
Security could/should be made more newbie-friendly.
Another thing is that with *free* platforms the distro-builders need to earn their living from services rendered, and security is as good a service as anything. With internet access being in the core of everything, couldn't the distro companies also provide optional integrity checking service over a secure connection? I could envision a write-once space for uploaded checksums against all installed packages...
Of course, once distros start creating such remote personal customer services the door opens for a host of new support and service packages (built-in webhosting etc., anyone?). Credible distro makers would probably benefit from their reputation at the expense of fly-by-night operators.
Re:But what happens... (Score:2)
Re:But what happens... (Score:2, Insightful)
That way, at the first sign of trouble, you just toss in the disk of known-good tools, with the confidence that at least that stuff is clean. Yes there are ways other than this, I'm sure, but for us non-super-guru types, it's pretty handy.
Re:You know... this brings up a question.... (Score:5, Interesting)
Both lists have a fairly good signal-to-noise ratio, and there is a lot of good info to be had.
If nothing else, it's certainly a good place to ask that exact question.
You can sign up here [securityfocus.com].