| 1 |
Michel Wilson wrote: |
| 2 |
> On Thu, Mar 25, 2004 at 10:32:05AM -0600, Andrew Gaffney wrote: |
| 3 |
> |
| 4 |
>>Michel Wilson wrote: |
| 5 |
>>I tried to write a Perl script to do this, but I ran into problems. Of |
| 6 |
>>course, that was when I'd only been using Perl for 3 months. I'd probably |
| 7 |
>>be able to do it better now. One thing I was having problems with was |
| 8 |
>>binaries that had been prelinked. If you run prelink a certain way, it can |
| 9 |
>>give you the MD5SUM of the original binary, which is what portage does when |
| 10 |
>>unmerging a package. It didn't always work right for me, though. Maybe I'll |
| 11 |
>>try again. |
| 12 |
> |
| 13 |
> Well, as you said, it is possible to get the original md5sum, so the |
| 14 |
> integrity-checker should be able to do this as well. |
| 15 |
|
| 16 |
I'm probably gonna start on a rewrite of my scanner that can handle a non-prelinked system |
| 17 |
just fine. When that's working, I'll add in prelink support. Something like: |
| 18 |
|
| 19 |
if($portagefilemd5 ne $justcheckedmd5) { |
| 20 |
$prelinkmd5 = `prelink --md5 $currentfile`; |
| 21 |
chomp $prelinkmd5; |
| 22 |
if($prelinkmd5 ne $portagefilemd5) { |
| 23 |
print "MODIFIED FILE: $currentfile\n"; |
| 24 |
} |
| 25 |
} |
| 26 |
|
| 27 |
>>>The major advantage of this integrated system would be that the integrity |
| 28 |
>>>information can be automatically updated if the user installs a new |
| 29 |
>>>package. Normally, with Tripwire, system maintenance is a nuisance. Every |
| 30 |
>>>time a new package is installed, Tripwire will generate false alarms. |
| 31 |
>>>Or, at least, when I used it it did, because I always forgot to update |
| 32 |
>>>the database... |
| 33 |
>> |
| 34 |
>>That's the problem with using tripwire on a Gentoo system. It's meant for a |
| 35 |
>>system that doesn't change, which obviously isn't Gentoo. What if someone |
| 36 |
>>compromises your system after your last run of tripwire (not the updater) |
| 37 |
>>and before when you emerge a package and update the database. The |
| 38 |
>>compromise would go unnoticed. |
| 39 |
> |
| 40 |
> Good point. Well, then we should check the package before upgrading it, |
| 41 |
> or check each file before we overwrite it with a new file. The first is |
| 42 |
> probably the easiest, but then there might be a very theoretical chance |
| 43 |
> that a file is overwritten which didn't belong to the old version of the |
| 44 |
> package. I don't know if such a situation would ever happen, though. |
| 45 |
|
| 46 |
Should it really be this difficult to get something like tripwire to work properly? Gentoo |
| 47 |
needs a custom tripwire-ish program that can take advantage of portage's MD5SUM's and |
| 48 |
mtime's on all installed files. A scanner could even be added to portage as a FEATURE. |
| 49 |
While a program like this wouldn't catch intrusions involving non-portage-installed data |
| 50 |
files, it would catch any replaced/modified binaries/scripts. Although, there would need |
| 51 |
to be a configuration option to disable warnings on files in /etc since those are usually |
| 52 |
modified after they are installed by portage. Or even better, there could be an option to |
| 53 |
the program that would scan for changes in /etc and update portage's MD5SUM of the files. |
| 54 |
|
| 55 |
-- |
| 56 |
Andrew Gaffney |
| 57 |
Network Administrator |
| 58 |
Skyline Aeronautics, LLC. |
| 59 |
636-357-1548 |
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
gentoo-security@g.o mailing list |
Archives