1 |
Michel Wilson wrote: |
2 |
> On Thu, Mar 25, 2004 at 10:32:05AM -0600, Andrew Gaffney wrote: |
3 |
> |
4 |
>>Michel Wilson wrote: |
5 |
>>I tried to write a Perl script to do this, but I ran into problems. Of |
6 |
>>course, that was when I'd only been using Perl for 3 months. I'd probably |
7 |
>>be able to do it better now. One thing I was having problems with was |
8 |
>>binaries that had been prelinked. If you run prelink a certain way, it can |
9 |
>>give you the MD5SUM of the original binary, which is what portage does when |
10 |
>>unmerging a package. It didn't always work right for me, though. Maybe I'll |
11 |
>>try again. |
12 |
> |
13 |
> Well, as you said, it is possible to get the original md5sum, so the |
14 |
> integrity-checker should be able to do this as well. |
15 |
|
16 |
I'm probably gonna start on a rewrite of my scanner that can handle a non-prelinked system |
17 |
just fine. When that's working, I'll add in prelink support. Something like: |
18 |
|
19 |
if($portagefilemd5 ne $justcheckedmd5) { |
20 |
$prelinkmd5 = `prelink --md5 $currentfile`; |
21 |
chomp $prelinkmd5; |
22 |
if($prelinkmd5 ne $portagefilemd5) { |
23 |
print "MODIFIED FILE: $currentfile\n"; |
24 |
} |
25 |
} |
26 |
|
27 |
>>>The major advantage of this integrated system would be that the integrity |
28 |
>>>information can be automatically updated if the user installs a new |
29 |
>>>package. Normally, with Tripwire, system maintenance is a nuisance. Every |
30 |
>>>time a new package is installed, Tripwire will generate false alarms. |
31 |
>>>Or, at least, when I used it it did, because I always forgot to update |
32 |
>>>the database... |
33 |
>> |
34 |
>>That's the problem with using tripwire on a Gentoo system. It's meant for a |
35 |
>>system that doesn't change, which obviously isn't Gentoo. What if someone |
36 |
>>compromises your system after your last run of tripwire (not the updater) |
37 |
>>and before when you emerge a package and update the database. The |
38 |
>>compromise would go unnoticed. |
39 |
> |
40 |
> Good point. Well, then we should check the package before upgrading it, |
41 |
> or check each file before we overwrite it with a new file. The first is |
42 |
> probably the easiest, but then there might be a very theoretical chance |
43 |
> that a file is overwritten which didn't belong to the old version of the |
44 |
> package. I don't know if such a situation would ever happen, though. |
45 |
|
46 |
Should it really be this difficult to get something like tripwire to work properly? Gentoo |
47 |
needs a custom tripwire-ish program that can take advantage of portage's MD5SUM's and |
48 |
mtime's on all installed files. A scanner could even be added to portage as a FEATURE. |
49 |
While a program like this wouldn't catch intrusions involving non-portage-installed data |
50 |
files, it would catch any replaced/modified binaries/scripts. Although, there would need |
51 |
to be a configuration option to disable warnings on files in /etc since those are usually |
52 |
modified after they are installed by portage. Or even better, there could be an option to |
53 |
the program that would scan for changes in /etc and update portage's MD5SUM of the files. |
54 |
|
55 |
-- |
56 |
Andrew Gaffney |
57 |
Network Administrator |
58 |
Skyline Aeronautics, LLC. |
59 |
636-357-1548 |
60 |
|
61 |
|
62 |
-- |
63 |
gentoo-security@g.o mailing list |