1 |
Michel Wilson wrote: |
2 |
> On Thu, Mar 25, 2004 at 02:06:39AM +0000, Tom Hosiawa wrote: |
3 |
> |
4 |
>>I've used tripwire a little bit, and I'm starting to like it. |
5 |
>> |
6 |
>>The biggest problem I see with it, is the default policy is setup for |
7 |
>>Red Hat, not for Gentoo. I know a Gentoo policy file exists in bugzilla, |
8 |
>>but I'm thinking of creating a script to generate the policy file based |
9 |
>>specifically on installed packages in portage. |
10 |
>> |
11 |
>>So before I go ahead with this plan, I thought I get some feedback on my |
12 |
>>ideas. |
13 |
>> |
14 |
>>>From playing around with the policy file, I see it groups and |
15 |
>>categorizes files into different security types and priorities such as |
16 |
>>critical, suid, config , log, etc. |
17 |
>> |
18 |
>>So for every installed package, I would put it into its own group. Than |
19 |
>>I would assign binary files (/bin, /usr/bin), superuser files (/sbin, |
20 |
>>/usr/sbin), suid (search for them), config (/etc), log (/var/log) files |
21 |
>>into their appropriate categories. |
22 |
>> |
23 |
>>Finally, providing options to generate it for only system packages with |
24 |
>>no user input, and individual package selection should be an option. |
25 |
>> |
26 |
>>Tom |
27 |
>> |
28 |
> |
29 |
> Tripwire is nice, but I think a custom-developed solution would be much |
30 |
> better for Gentoo. Gentoo keeps md5-sums for each package in |
31 |
> /var/db/pkg/<category>/<package>/CONTENTS. What I would suggest is a |
32 |
> system whereby we sign these CONTENTS-files with a GPG key. A second |
33 |
> option would be to create a new file in this same location, specifically |
34 |
> designed for integrity checking. |
35 |
> |
36 |
> Starting with the first option: this should be quite simple to implement. |
37 |
> Just build a script which signs all the CONTENTS-files with your GPG |
38 |
> key, and the database is build. Then, for each scan, the md5-sums of the |
39 |
> files are checked against the real file, and the md5-sum of the |
40 |
> CONTENTS-file is checked. |
41 |
> A disadvantage of this approach is that some of the flexibility of the |
42 |
> Tripwire system is lost. It is no longer possible to assign priorities |
43 |
> to the different files, or to completely ignore certain files. This is |
44 |
> where the second option comes in. Here, we are free to assign priorities |
45 |
> to the individual files. We can also specify which aspects of the file |
46 |
> should be checked: just the modification times, or the contents. |
47 |
|
48 |
I tried to write a Perl script to do this, but I ran into problems. Of course, that was |
49 |
when I'd only been using Perl for 3 months. I'd probably be able to do it better now. One |
50 |
thing I was having problems with was binaries that had been prelinked. If you run prelink |
51 |
a certain way, it can give you the MD5SUM of the original binary, which is what portage |
52 |
does when unmerging a package. It didn't always work right for me, though. Maybe I'll try |
53 |
again. |
54 |
|
55 |
> The major advantage of this integrated system would be that the integrity |
56 |
> information can be automatically updated if the user installs a new |
57 |
> package. Normally, with Tripwire, system maintenance is a nuisance. Every |
58 |
> time a new package is installed, Tripwire will generate false alarms. |
59 |
> Or, at least, when I used it it did, because I always forgot to update |
60 |
> the database... |
61 |
|
62 |
That's the problem with using tripwire on a Gentoo system. It's meant for a system that |
63 |
doesn't change, which obviously isn't Gentoo. What if someone compromises your system |
64 |
after your last run of tripwire (not the updater) and before when you emerge a package and |
65 |
update the database. The compromise would go unnoticed. |
66 |
|
67 |
-- |
68 |
Andrew Gaffney |
69 |
Network Administrator |
70 |
Skyline Aeronautics, LLC. |
71 |
636-357-1548 |
72 |
|
73 |
|
74 |
-- |
75 |
gentoo-security@g.o mailing list |