Gentoo Archives: gentoo-security

From: Andrew Gaffney <agaffney@×××××××××××.com>
To: gentoo-security <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] tripwire policy generator
Date: Thu, 25 Mar 2004 16:33:42
Message-Id: 40630985.3010301@skylineaero.com
In Reply to: Re: [gentoo-security] tripwire policy generator by Michel Wilson
1 Michel Wilson wrote:
2 > On Thu, Mar 25, 2004 at 02:06:39AM +0000, Tom Hosiawa wrote:
3 >
4 >>I've used tripwire a little bit, and I'm starting to like it.
5 >>
6 >>The biggest problem I see with it, is the default policy is setup for
7 >>Red Hat, not for Gentoo. I know a Gentoo policy file exists in bugzilla,
8 >>but I'm thinking of creating a script to generate the policy file based
9 >>specifically on installed packages in portage.
10 >>
11 >>So before I go ahead with this plan, I thought I get some feedback on my
12 >>ideas.
13 >>
14 >>>From playing around with the policy file, I see it groups and
15 >>categorizes files into different security types and priorities such as
16 >>critical, suid, config , log, etc.
17 >>
18 >>So for every installed package, I would put it into its own group. Than
19 >>I would assign binary files (/bin, /usr/bin), superuser files (/sbin,
20 >>/usr/sbin), suid (search for them), config (/etc), log (/var/log) files
21 >>into their appropriate categories.
22 >>
23 >>Finally, providing options to generate it for only system packages with
24 >>no user input, and individual package selection should be an option.
25 >>
26 >>Tom
27 >>
28 >
29 > Tripwire is nice, but I think a custom-developed solution would be much
30 > better for Gentoo. Gentoo keeps md5-sums for each package in
31 > /var/db/pkg/<category>/<package>/CONTENTS. What I would suggest is a
32 > system whereby we sign these CONTENTS-files with a GPG key. A second
33 > option would be to create a new file in this same location, specifically
34 > designed for integrity checking.
35 >
36 > Starting with the first option: this should be quite simple to implement.
37 > Just build a script which signs all the CONTENTS-files with your GPG
38 > key, and the database is build. Then, for each scan, the md5-sums of the
39 > files are checked against the real file, and the md5-sum of the
40 > CONTENTS-file is checked.
41 > A disadvantage of this approach is that some of the flexibility of the
42 > Tripwire system is lost. It is no longer possible to assign priorities
43 > to the different files, or to completely ignore certain files. This is
44 > where the second option comes in. Here, we are free to assign priorities
45 > to the individual files. We can also specify which aspects of the file
46 > should be checked: just the modification times, or the contents.
47
48 I tried to write a Perl script to do this, but I ran into problems. Of course, that was
49 when I'd only been using Perl for 3 months. I'd probably be able to do it better now. One
50 thing I was having problems with was binaries that had been prelinked. If you run prelink
51 a certain way, it can give you the MD5SUM of the original binary, which is what portage
52 does when unmerging a package. It didn't always work right for me, though. Maybe I'll try
53 again.
54
55 > The major advantage of this integrated system would be that the integrity
56 > information can be automatically updated if the user installs a new
57 > package. Normally, with Tripwire, system maintenance is a nuisance. Every
58 > time a new package is installed, Tripwire will generate false alarms.
59 > Or, at least, when I used it it did, because I always forgot to update
60 > the database...
61
62 That's the problem with using tripwire on a Gentoo system. It's meant for a system that
63 doesn't change, which obviously isn't Gentoo. What if someone compromises your system
64 after your last run of tripwire (not the updater) and before when you emerge a package and
65 update the database. The compromise would go unnoticed.
66
67 --
68 Andrew Gaffney
69 Network Administrator
70 Skyline Aeronautics, LLC.
71 636-357-1548
72
73
74 --
75 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] tripwire policy generator Michel Wilson <michel@×××××××.net>