From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 17:13:01 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D916D1065673 for ; Wed, 10 Mar 2010 17:13:01 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 70E488FC13 for ; Wed, 10 Mar 2010 17:13:00 +0000 (UTC) Received: by wyb32 with SMTP id 32so4618045wyb.13 for ; Wed, 10 Mar 2010 09:13:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=Kgg7ammIrmkjtuT1eZsAEvZ27/Um8/v9zb/0dYIAGOA=; b=L7l2siR+Xb3mCdfSwtzoObnuhqbey7BVKOcnuMLcvmECiWe58kmmbl9BRfO60DNMGC lMq+AhxMScF6TBS+S/saJTUxuTGgLtoi+dS+AZIIMZIoVhcr+Yul/y2S99vaye1DPXLW wvxLkDBsf0MtOKP8dCiNJ6j8WtrSBhu8C97ds= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=OLG/ihUfLKtLG22QuuZr/L9o5hVybzSuX9SRfLil/X5iJIvUTudRFYMLxeGL2EvTFv qJ7lWhUg8aBhnd5LejWkkF97CcyjQwqfnxrO6/CdUDquiEEWcTqLtLp/JNNCegdacC+v 6S8sP2wiPjWaQXiHAe6bkvZzCmWAS4WRCcJFQ= Received: by 10.216.177.82 with SMTP id c60mr1112366wem.25.1268239326871; Wed, 10 Mar 2010 08:42:06 -0800 (PST) Received: from [10.0.0.7] (91-115-211-122.adsl.highway.telekom.at [91.115.211.122]) by mx.google.com with ESMTPS id t12sm21970759gvd.7.2010.03.10.08.42.05 (version=SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 08:42:06 -0800 (PST) Message-ID: <4B97AB28.8060403@gmail.com> Date: Wed, 10 Mar 2010 15:22:32 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 10 Mar 2010 17:17:25 +0000 Subject: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 17:13:01 -0000 online cheksum verification for FreeBSD I believe it would be highly desireable to have an online md5sum verification for FreeBSD as this is already implemented by checkroot (http://www.elstel.com/checkroot/) for openSUSE. This is often the only way to spot an intrusion. Keeping external md5sum lists is very tedious and error prone as soon as you want to apply updates. You need to fully verify your system before every single update because otherwise you may store the checksums of files that have already been altered by intruders. Forgetting this once makes any further checks useless i.e. you would have to install from scratch. Does anyone know whether a similar tool could be implemented for FreeBSD? The only thing that I have found about it is: "DS Compare the system against a "known good" index of the installed release.'" However this known good index would need to be stored on a FreeBSD server because everything that is stored locally can be altered by an intruder. In the case of openSUSE it is sufficient to download the package headers of all installed packages because they contain the md5sums of the files that are installed. Keeping md5sum lists on a server would be an alternative solution as proposed in https://features.opensuse.org/306508. For those of us who are building their own ports something like the openSUSE build service for FreeBSD (https://features.opensuse.org/308617) could leverage the usage of such a security tool for all packages although checking the core packages will be most important so far in order to detect rootkits (which are not publicly known so far). Best Regards, Elmar P.S.: Please do also send responses to my email as I am not subscribed yet. From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 19:38:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D17A51065675 for ; Wed, 10 Mar 2010 19:38:10 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 647558FC26 for ; Wed, 10 Mar 2010 19:38:10 +0000 (UTC) Received: by wwb24 with SMTP id 24so1543472wwb.13 for ; Wed, 10 Mar 2010 11:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=vkfUfVuQrdxjXnFvquKh28ZYseeIfptAUZ+m/PHELp0=; b=KoeXFvQ/uSvVa5Bf0nOyD0cjJD57vqRvu0oe2W8ABTv9lDehm51AcwPCVhVW6RC8GD U5LGFGm35FWDuS/FhPrYiLJklFDUkhlhSrvPCgQ6D/mAk5gexm/b8eEINFNWN/qZojyQ Rv7B0IDJzNokpLVoieVLitoBFoNubzMt9WNEU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=ZAv4DOMB8u7pJtGUI6tq9nzjggKZmCkjIRvY70RoCWsf/tfQH8Yxt+dTY/s1NdYzcD S1U3w26attthXunlTwUa4pFlLocpYCP8+FMP4vhtoemjWyWcH+C1+rZiqicuh+haSsoY 3Dh0849GpD+u+tR/VShn3+giELqK7TVLhTKsY= Received: by 10.216.88.10 with SMTP id z10mr1300869wee.108.1268249889169; Wed, 10 Mar 2010 11:38:09 -0800 (PST) Received: from [10.0.0.7] (93-82-70-102.adsl.highway.telekom.at [93.82.70.102]) by mx.google.com with ESMTPS id q9sm23053213gve.24.2010.03.10.11.38.07 (version=SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 11:38:08 -0800 (PST) Message-ID: <4B97C1D1.7050209@gmail.com> Date: Wed, 10 Mar 2010 16:59:13 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Peter Jeremy References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> In-Reply-To: <20100310185328.GD37825@server.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 10 Mar 2010 20:07:56 +0000 Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 19:38:11 -0000 >> The only thing that I have found about it is: >> "DS Compare the system against a "known good" index of the installed >> release.'" > > As well as freebsd-update(8), the FreeBSD base system includes > mtree(8) - which can be used to generate and check file hashes. Other > tools, such as tripwire, are available in the ports tree. > As far as I am informed freebsd generates the checksums right after installation. However this is absolutely useless for a tool like checkroot that aims at an online checksum verification. > On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger wrote: >> I believe it would be highly desireable to have an online md5sum >> verification for FreeBSD as this is already implemented by checkroot >> (http://www.elstel.com/checkroot/) for openSUSE. > > You are welcome to adapt your tool to support FreeBSD and have it > included in the ports system. Could anyone help me in how to obtain online cheksums (md5 or better sha1) for the files of every installed package? > > That said, it's unclear that your tool offers any benefits over > the freebsd-update(8) tool that is part of the FreeBSD base system. > You seem to be really ignorant about the issues I have pointed out about online/offline cheksums: * offline cheksums require some security tool having been installed in advance. Most users simply don`t have tripwire or sth. else installed but are nonetheless possible targets for crackers. * offline cheksums are very tedious to maintain: They require a full system verification in advance to any new update being followed by a new checksum backup If you just forget that once you can throw your system away. Now do also think about applying a single update or about updating regularely which should be recommended for reasons of security. > Note that an > intruder could equally easily modify the checkroot executable unless > it is also stored on read-only media. Yes I have clearly pointed this out on my web site. The tool will of course not be useful as long as it is not invoked fromout of a boot CD. Concerning me I do always have a current boot CD handy - and be it just for reinstalling the boot loader. > > I notice that your tool only appears to store MD5 hashes - I presume > you are aware that the MD5 algorithm has been shown to have a number > of weaknesses and is not recommended for new applications. This > is why FreeBSD has moved to using a combination of MD5 and SHA256. Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) for FreeBSD. For openSUSE I had to use what has been available. From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 20:52:45 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id C43831065674 for ; Wed, 10 Mar 2010 20:52:45 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 781EE150725 for ; Wed, 10 Mar 2010 20:52:45 +0000 (UTC) Received: (qmail 84902 invoked from network); 10 Mar 2010 20:52:45 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 10 Mar 2010 20:52:45 -0000 Message-ID: <4B98069C.6050104@freebsd.org> Date: Wed, 10 Mar 2010 12:52:44 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (X11/20091215) MIME-Version: 1.0 To: freebsd security , FreeBSD Stable X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD 7.2-RELEASE EoL delayed to end of June 2010 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 20:52:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, In keeping with the FreeBSD Security Team policy concerning the EoL dates for "Normal" support releases, "a minimum of 12 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer release for at least 3 months before the older Normal release expires" the EoL date for FreeBSD 7.2-RELEASE has been adjusted from the end of May 2010 to the end of June 2010. Due to an unfortunate limitation in the freebsd-update(8) utility, it will warn about the upcoming EoL based on the original end-of-May date until the next time a security update is pushed out for 7.2-RELEASE. Please note that this is only a one month reprieve; we expect 7.3-RELEASE to be announced later this month, and users of 7.2-RELEASE are advised to utilize the months of April, May, and June to ensure that their systems are upgraded before 7.2-RELEASE ceases to be supported. Once they are released, 7.3-RELEASE and 8.1-RELEASE will both receive "Extended" (i.e., 24 month) support from the FreeBSD Security Team. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkuYBpwACgkQFdaIBMps37KQnwCdGOnAcchaMeN0B/Ayo3MHqNPM zq4AnRyDMMmayIDr27RmL+KF+n/0Kzae =drwk -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 21:36:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC8CD1065672 for ; Wed, 10 Mar 2010 21:36:08 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx10.syd.optusnet.com.au (fallbackmx10.syd.optusnet.com.au [211.29.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0C28FC22 for ; Wed, 10 Mar 2010 21:36:07 +0000 (UTC) Received: from mail15.syd.optusnet.com.au (mail15.syd.optusnet.com.au [211.29.132.196]) by fallbackmx10.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o2AIrVai019271 for ; Thu, 11 Mar 2010 05:53:31 +1100 Received: from server.vk2pj.dyndns.org (c122-106-253-149.belrs3.nsw.optusnet.com.au [122.106.253.149]) by mail15.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o2AIrSUc027237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Mar 2010 05:53:29 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id o2AIrSTe067740; Thu, 11 Mar 2010 05:53:28 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id o2AIrS6x067739; Thu, 11 Mar 2010 05:53:28 +1100 (EST) (envelope-from peter) Date: Thu, 11 Mar 2010 05:53:28 +1100 From: Peter Jeremy To: Elmar Stellnberger Message-ID: <20100310185328.GD37825@server.vk2pj.dyndns.org> References: <4B97AB28.8060403@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AkbCVLjbJ9qUtAXD" Content-Disposition: inline In-Reply-To: <4B97AB28.8060403@gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 21:36:09 -0000 --AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger wrote: > I believe it would be highly desireable to have an online md5sum >verification for FreeBSD as this is already implemented by checkroot >(http://www.elstel.com/checkroot/) for openSUSE. You are welcome to adapt your tool to support FreeBSD and have it included in the ports system. That said, it's unclear that your tool offers any benefits over the freebsd-update(8) tool that is part of the FreeBSD base system. >The only thing that I have found about it is: >"DS Compare the system against a "known good" index of the installed >release.'" As well as freebsd-update(8), the FreeBSD base system includes mtree(8) - which can be used to generate and check file hashes. Other tools, such as tripwire, are available in the ports tree. >However this known good index would need to be stored on a FreeBSD >server because everything that is stored locally can be altered by an >intruder. This isn't completely true - the known good index could be stored on read-only media - CD-ROM or write-protected floppy. Note that an intruder could equally easily modify the checkroot executable unless it is also stored on read-only media. (And even a statically linked checkroot won't protect against a suborned kernel). I notice that your tool only appears to store MD5 hashes - I presume you are aware that the MD5 algorithm has been shown to have a number of weaknesses and is not recommended for new applications. This is why FreeBSD has moved to using a combination of MD5 and SHA256. Also, your website mentions DSA is unsafe. Could you please provide a reference for this claim as I am unaware of any results suggesting that DSA is less secure than RSA. --=20 Peter Jeremy --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkuX6qgACgkQ/opHv/APuIe1UgCgksJy5Ivo9uNtwa45rNnCmlhd qRwAn0IM9rGFKvLhTr2PQGRbZVcObjT/ =U6DK -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 22:18:04 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4921106566C for ; Wed, 10 Mar 2010 22:18:04 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch [IPv6:2001:41e0:ff17:face::26]) by mx1.freebsd.org (Postfix) with ESMTP id 2B8118FC14 for ; Wed, 10 Mar 2010 22:18:04 +0000 (UTC) Received: from roe (ssh-from [213.144.130.143]) by calvin.ustdmz.roe.ch (envelope-from ) with LOCAL id 1NpUE5-000IAQ-Fi ; Wed, 10 Mar 2010 23:18:01 +0100 Date: Wed, 10 Mar 2010 23:18:01 +0100 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Message-ID: <20100310221801.GD68311@calvin.ustdmz.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org, Peter Jeremy , Elmar Stellnberger References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B97C1D1.7050209@gmail.com> User-Agent: Mutt/1.4.2.3i Cc: Elmar Stellnberger Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 22:18:04 -0000 Elmar Stellnberger 2010-03-10: > > I notice that your tool only appears to store MD5 hashes - I presume > > you are aware that the MD5 algorithm has been shown to have a number > > of weaknesses and is not recommended for new applications. This > > is why FreeBSD has moved to using a combination of MD5 and SHA256. > > Yes, we should use SHA-1 (or possibly a combination of SHA-1 > and MD5) for FreeBSD. For openSUSE I had to use what has been > available. SHA-1 is not recommended for new applications either. You should probably use SHA-256. Peter Jeremy 2010-03-10: > Also, your website mentions DSA is unsafe. Could you please > provide a reference for this claim as I am unaware of any > results suggesting that DSA is less secure than RSA. That claim might be based in the fact that original DSS limited DSA key size to 1024 bits. Since 2k and 3k DSA is available these days, the claim that DSA is unsafe seems outdated. -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 23:31:50 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8B11106564A for ; Wed, 10 Mar 2010 23:31:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-12.mx.aerioconnect.net [216.240.47.72]) by mx1.freebsd.org (Postfix) with ESMTP id 9A07F8FC1E for ; Wed, 10 Mar 2010 23:31:50 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o2AN9i2P014908; Wed, 10 Mar 2010 15:09:44 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 17E9E2D601F; Wed, 10 Mar 2010 15:09:44 -0800 (PST) Message-ID: <4B9826B7.1080304@elischer.org> Date: Wed, 10 Mar 2010 15:09:43 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Elmar Stellnberger References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> In-Reply-To: <4B97C1D1.7050209@gmail.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 X-Mailman-Approved-At: Thu, 11 Mar 2010 03:05:37 +0000 Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 23:31:50 -0000 Elmar Stellnberger wrote: >>> The only thing that I have found about it is: >>> "DS Compare the system against a "known good" index of the installed >>> release.'" >> As well as freebsd-update(8), the FreeBSD base system includes >> mtree(8) - which can be used to generate and check file hashes. Other >> tools, such as tripwire, are available in the ports tree. >> > > As far as I am informed freebsd generates the checksums right after > installation. However this is absolutely useless for a tool like > checkroot that aims at an online checksum verification. > > >> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger > wrote: >>> I believe it would be highly desireable to have an online md5sum >>> verification for FreeBSD as this is already implemented by checkroot >>> (http://www.elstel.com/checkroot/) for openSUSE. >> You are welcome to adapt your tool to support FreeBSD and have it >> included in the ports system. > > Could anyone help me in how to obtain online cheksums (md5 or better > sha1) for the files of every installed package? > > >> That said, it's unclear that your tool offers any benefits over >> the freebsd-update(8) tool that is part of the FreeBSD base system. >> > > You seem to be really ignorant about the issues I have pointed out about > online/offline cheksums: > * offline cheksums require some security tool having been installed in > advance. > Most users simply don`t have tripwire or sth. else installed but are > nonetheless > possible targets for crackers. > * offline cheksums are very tedious to maintain: > They require a full system verification in advance to any new update > being followed > by a new checksum backup > If you just forget that once you can throw your system away. > Now do also think about applying a single update or about updating > regularely > which should be recommended for reasons of security. > > >> Note that an >> intruder could equally easily modify the checkroot executable unless >> it is also stored on read-only media. > > Yes I have clearly pointed this out on my web site. The tool will of > course not be useful as long as it is not invoked fromout of a boot CD. > Concerning me I do always have a current boot CD handy - and be it just > for reinstalling the boot loader. > > >> I notice that your tool only appears to store MD5 hashes - I presume >> you are aware that the MD5 algorithm has been shown to have a number >> of weaknesses and is not recommended for new applications. This >> is why FreeBSD has moved to using a combination of MD5 and SHA256. > > Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) > for FreeBSD. > For openSUSE I had to use what has been available. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" all that is not to say it's a bad idea, just that people are interested to see what the advantages are etc. From owner-freebsd-security@FreeBSD.ORG Thu Mar 11 09:34:12 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46AF8106566C for ; Thu, 11 Mar 2010 09:34:12 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CDD7F8FC13 for ; Thu, 11 Mar 2010 09:34:11 +0000 (UTC) Received: by wwb28 with SMTP id 28so152758wwb.13 for ; Thu, 11 Mar 2010 01:34:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=1R1svDb2t4zAZ5o2GoseqkLMeD0bfs02tM0qwC3awR8=; b=fY5CSBCoDMWRipKszzsIrSDc52DM2Hg/XUWm/BMnzgrCTjVkjyA7OABuDzNMl7spaE zbRtjrn01cUtHAnzMc+eU0dzzxpGZSd9ceNAJL/yRePbTrzjSm3C8xuUflVvL5Ns0XR2 TcR1P+4l7JDuFhPsCEvS3ZJIqFmTWxDIoDy5U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=F+9689rTVaErsKA4Qn1NRtFlYBu5ZTJurhSZIHUVrbDajgX/Ku2KAJXU4qbo+jZoxI rEVWEiHlKKXVAGhXLbEXS6GDbobwCR61NhmpiqlLj5rF1MRpteoSBZuIgndqJSslkjhw oj2B2fLVNTjht593WN9j/tHFH2Xp25CTMLXlg= Received: by 10.216.88.207 with SMTP id a57mr63629wef.200.1268300049332; Thu, 11 Mar 2010 01:34:09 -0800 (PST) Received: from [10.0.0.7] (91-115-214-42.adsl.highway.telekom.at [91.115.214.42]) by mx.google.com with ESMTPS id i6sm1650380gve.5.2010.03.11.01.34.03 (version=SSLv3 cipher=RC4-MD5); Thu, 11 Mar 2010 01:34:07 -0800 (PST) Message-ID: <4B988135.9030807@gmail.com> Date: Thu, 11 Mar 2010 06:35:49 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> <4B9826B7.1080304@elischer.org> In-Reply-To: <4B9826B7.1080304@elischer.org> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 11 Mar 2010 12:46:22 +0000 Cc: Julian Elischer Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 09:34:12 -0000 Julian Elischer schrieb: > Elmar Stellnberger wrote: >>>> The only thing that I have found about it is: >>>> "DS Compare the system against a "known good" index of the installed >>>> release.'" >>> As well as freebsd-update(8), the FreeBSD base system includes >>> mtree(8) - which can be used to generate and check file hashes. Other >>> tools, such as tripwire, are available in the ports tree. >>> >> >> As far as I am informed freebsd generates the checksums right after >> installation. However this is absolutely useless for a tool like >> checkroot that aims at an online checksum verification. >> >> >>> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger >> wrote: >>>> I believe it would be highly desireable to have an online md5sum >>>> verification for FreeBSD as this is already implemented by checkroot >>>> (http://www.elstel.com/checkroot/) for openSUSE. >>> You are welcome to adapt your tool to support FreeBSD and have it >>> included in the ports system. >> >> Could anyone help me in how to obtain online cheksums (md5 or better >> sha1) for the files of every installed package? >> >> >>> That said, it's unclear that your tool offers any benefits over >>> the freebsd-update(8) tool that is part of the FreeBSD base system. >>> >> >> You seem to be really ignorant about the issues I have pointed out about >> online/offline cheksums: >> * offline cheksums require some security tool having been installed in >> advance. >> Most users simply don`t have tripwire or sth. else installed but are >> nonetheless >> possible targets for crackers. >> * offline cheksums are very tedious to maintain: >> They require a full system verification in advance to any new update >> being followed >> by a new checksum backup >> If you just forget that once you can throw your system away. >> Now do also think about applying a single update or about updating >> regularely >> which should be recommended for reasons of security. >> >> >>> Note that an >>> intruder could equally easily modify the checkroot executable unless >>> it is also stored on read-only media. >> >> Yes I have clearly pointed this out on my web site. The tool will of >> course not be useful as long as it is not invoked fromout of a boot CD. >> Concerning me I do always have a current boot CD handy - and be it just >> for reinstalling the boot loader. >> >> >>> I notice that your tool only appears to store MD5 hashes - I presume >>> you are aware that the MD5 algorithm has been shown to have a number >>> of weaknesses and is not recommended for new applications. This >>> is why FreeBSD has moved to using a combination of MD5 and SHA256. >> >> Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) >> for FreeBSD. >> For openSUSE I had to use what has been available. >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > all that is not to say it's a bad idea, just that people > are interested to see what the advantages are etc. > If one must not say that it is a bad idea then I would conclude the idea to be good. However ranting without giving reasons would really have been amiss. Those of us who want to crack into the systems of innocent users will of course not welcome the tool because it gives them a viable way to defend. To me there is simply no alternative to an online cheksum verification due to its clear advantages. It is a crucial issue which needs to get resolved before I start to deploy FreeBSD on my production systems and before I may decide to engage further in the development of FreeBSD (kernel, fs, power saving). I have received some valueable input from the openSUSE community beforehand implementing the checkroot tool for this OS. Can anyone in here help me or should I go on to ask on a mailing list that is better suited to package management issues (which one to choose? - freebsd-hackers?). From owner-freebsd-security@FreeBSD.ORG Thu Mar 11 17:13:04 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7597106566C for ; Thu, 11 Mar 2010 17:13:04 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 9A0EF8FC1D for ; Thu, 11 Mar 2010 17:13:04 +0000 (UTC) Date: Thu, 11 Mar 2010 09:13:04 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20100311120028.6778E10656B9@hub.freebsd.org> References: <20100311120028.6778E10656B9@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20100311171304.312AF2B2126@mx5.roble.com> Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 17:13:04 -0000 Elmar Stellnberger wrote: > I believe it would be highly desireable to have an online md5sum > verification for FreeBSD as this is already implemented by checkroot This is not difficult to do on a per-host basis using integrit, cron and optionally md5 with mail, ftp or scp. > (http://www.elstel.com/checkroot/) for openSUSE. This is often the only > way to spot an intrusion. Unlike SuSE and Solaris, FreeBSD is most often compiled on the local host. Wouldn't that make global checksums relatively useless? Roger Marquis From owner-freebsd-security@FreeBSD.ORG Thu Mar 11 21:25:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E781E1065824 for ; Thu, 11 Mar 2010 21:25:51 +0000 (UTC) (envelope-from m@micheas.net) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 665E78FC1A for ; Thu, 11 Mar 2010 21:25:49 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so73108fgg.13 for ; Thu, 11 Mar 2010 13:25:47 -0800 (PST) Received: by 10.87.40.2 with SMTP id s2mr111954fgj.72.1268342744748; Thu, 11 Mar 2010 13:25:44 -0800 (PST) Received: from [10.0.1.3] (c-24-5-79-127.hsd1.ca.comcast.net [24.5.79.127]) by mx.google.com with ESMTPS id 14sm410846fxm.1.2010.03.11.13.25.41 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Mar 2010 13:25:43 -0800 (PST) From: Micheas Herman To: freebsd-security@freebsd.org In-Reply-To: <20100311171304.312AF2B2126@mx5.roble.com> References: <20100311120028.6778E10656B9@hub.freebsd.org> <20100311171304.312AF2B2126@mx5.roble.com> Content-Type: text/plain; charset="UTF-8" Date: Thu, 11 Mar 2010 13:25:38 -0800 Message-ID: <1268342739.32610.26192.camel@vcampaign> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: m@micheas.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 21:25:52 -0000 On Thu, 2010-03-11 at 09:13 -0800, Roger Marquis wrote: > Elmar Stellnberger wrote: > > I believe it would be highly desireable to have an online md5sum > > verification for FreeBSD as this is already implemented by checkroot > > This is not difficult to do on a per-host basis using integrit, cron and > optionally md5 with mail, ftp or scp. > > > (http://www.elstel.com/checkroot/) for openSUSE. This is often the only > > way to spot an intrusion. > > Unlike SuSE and Solaris, FreeBSD is most often compiled on the local > host. Wouldn't that make global checksums relatively useless? > The second most common way I have seen packages installed is off of one's own build server. With the "official" packages, being used by people new to FreeBSD. The thing that makes people love FreeBSD is that the source that compiled your program is right there and easy to get up to speed on to change things, with the Make files providing a lot of usually helpful hints. personally, a tripwire that was friendlier to website admins would be really nice. Which this somewhat tries to be, but it fails in the sense that it does not deal with /etc/make.conf This might actually be a reasonable business model, free if you are using debian/centos/opensuse/"official" FreeBSD packages, and a small annual fee to host your own checksums. I have about 2% of my debian packages that would fail checksums because I modified the source before compiling them. To make your problem worse when you leave the confines of opensuse, there is a debian utility called apt-build that fetches the pkg source and builds it and installs the deb much like freeBSD ports. You are going to have similar problems with Gentoo. binaries compiled -O vs -O2 produce different binaries, in the x86 world, you can make a binary compatible with processor N and higher, each of which produces a different checksum, for most, but not all programs. tripwire has clearly not progressed very quickly, and is not used as much as it probably should be. Also, the FreeBSD group tends to be pretty merciless in pointing out when you make a mistake, (I made several with vinum). Don't be discouraged, but the problem is bigger than Elmar seems to have been assuming, but that is what make life fun, right? Micheas > Roger Marquis > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Habit is habit, and not to be flung out of the window by any man, but coaxed down-stairs a step at a time. -- Mark Twain, "Pudd'nhead Wilson's Calendar From owner-freebsd-security@FreeBSD.ORG Thu Mar 11 18:21:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF882106568C for ; Thu, 11 Mar 2010 18:21:09 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7337E8FC27 for ; Thu, 11 Mar 2010 18:21:08 +0000 (UTC) Received: by wwb28 with SMTP id 28so256556wwb.13 for ; Thu, 11 Mar 2010 10:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=J1PbUCTryQzpgWHV8bUxscnVtMIqdJGPXFj8O2fqa/E=; b=tqedbL1cA2FINXb5qQorEZkjdKWVKYIT5Yo9gvYLrQsnJmcI1ybpWNyCA69jcr3xmM GiY/nFuweGvVJH25lnrc6a/L4K5QCAzSOxnyeRHW9FhF2PwGcOSXW8wmIs38IrbbDYWh BJUmBq/PCSl8gZZMuq6fez5Lwyq3AUTQlTIC4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; b=bECXiHEnXOF2K0Hdn4+MdKjaQgre5Zt91taTL4DGV0NgLPAaYLUctkyg4hB/4atUtZ 7cyTVBedCeWJDoRZUimFjvqiYhwlujBEnKiRRsCVLjjVL2xnsdbORHJpow5vJAYDECvw Ctk/xoNYmigqK7tEuHUJOZfH9HYpdS3gYCTPU= Received: by 10.216.163.133 with SMTP id a5mr2222028wel.82.1268331667530; Thu, 11 Mar 2010 10:21:07 -0800 (PST) Received: from [10.0.0.7] (91-114-173-116.adsl.highway.telekom.at [91.114.173.116]) by mx.google.com with ESMTPS id p37sm824237gvf.10.2010.03.11.10.21.04 (version=SSLv3 cipher=RC4-MD5); Thu, 11 Mar 2010 10:21:05 -0800 (PST) Message-ID: <4B993458.8000403@gmail.com> Date: Thu, 11 Mar 2010 19:20:08 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 11 Mar 2010 23:13:42 +0000 Cc: Giancarlo Rubio , freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 18:21:10 -0000 Giancarlo Rubio schrieb: > rodando nos 2 servidores!!! > Could anyone help me in how to obtain online cheksums for FreeBSD? Then it should be no problem to port checkroot. I have received some valueable input from the openSUSE community in this regard before venturing the current implementation. Where do we have people who are familiar with the package management of FreeBSD? From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 00:18:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA5FC106564A for ; Fri, 12 Mar 2010 00:18:28 +0000 (UTC) (envelope-from m@micheas.net) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 732E08FC13 for ; Fri, 12 Mar 2010 00:18:27 +0000 (UTC) Received: by bwz8 with SMTP id 8so618533bwz.3 for ; Thu, 11 Mar 2010 16:18:27 -0800 (PST) Received: by 10.204.36.70 with SMTP id s6mr2694082bkd.22.1268353106737; Thu, 11 Mar 2010 16:18:26 -0800 (PST) Received: from [10.0.1.3] (c-24-5-79-127.hsd1.ca.comcast.net [24.5.79.127]) by mx.google.com with ESMTPS id l1sm2345404bkl.2.2010.03.11.16.18.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Mar 2010 16:18:25 -0800 (PST) From: Micheas Herman To: freebsd-security@freebsd.org In-Reply-To: <4B993458.8000403@gmail.com> References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> <4B993458.8000403@gmail.com> Content-Type: text/plain; charset="UTF-8" Date: Thu, 11 Mar 2010 16:18:21 -0800 Message-ID: <1268353101.32610.26916.camel@vcampaign> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: m@micheas.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2010 00:18:28 -0000 On Thu, 2010-03-11 at 19:20 +0100, Elmar Stellnberger wrote: > Giancarlo Rubio schrieb: > > rodando nos 2 servidores!!! > > > Could anyone help me in how to obtain online cheksums for FreeBSD? Um, most FreeBSD users compile from source with a custom /etc/make.conf file. There online pkgs, but I don't know of anyone that commonly uses them. I know people uses them for openoffice and a few of the things that take a long time to download, but not commonly. You can download the packages from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/ and run pkg_check You might be able to extract the signature from the package. The packages themselves are signed. There is no separate signature file. /etc/ssl/pkg.crt is the location of the public key for the packages. Basically, there are no online checksums for FreeBSD. http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=pkg_sign might help you. Personally I don't bother to sign my packages because I never install them on more the four machines and never more than a few hours after the package was built. If I had more FreeBSD machines to deal with, I might sign my packages just as a best practice, but I doubt it would really do any good, except that the machines would only accept packages from the build server, and not upstream with out squawking. I hope this points you in a helpful way. Micheas > Then it should be no problem to port checkroot. I have received some > valueable input from the openSUSE community in this regard before > venturing the current implementation. Where do we have people who > are familiar with the package management of FreeBSD? > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- I was gratified to be able to answer promptly, and I did. I said I didn't know. -- Mark Twain