From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 17:13:01 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D916D1065673 for ; Wed, 10 Mar 2010 17:13:01 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 70E488FC13 for ; Wed, 10 Mar 2010 17:13:00 +0000 (UTC) Received: by wyb32 with SMTP id 32so4618045wyb.13 for ; Wed, 10 Mar 2010 09:13:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=Kgg7ammIrmkjtuT1eZsAEvZ27/Um8/v9zb/0dYIAGOA=; b=L7l2siR+Xb3mCdfSwtzoObnuhqbey7BVKOcnuMLcvmECiWe58kmmbl9BRfO60DNMGC lMq+AhxMScF6TBS+S/saJTUxuTGgLtoi+dS+AZIIMZIoVhcr+Yul/y2S99vaye1DPXLW wvxLkDBsf0MtOKP8dCiNJ6j8WtrSBhu8C97ds= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=OLG/ihUfLKtLG22QuuZr/L9o5hVybzSuX9SRfLil/X5iJIvUTudRFYMLxeGL2EvTFv qJ7lWhUg8aBhnd5LejWkkF97CcyjQwqfnxrO6/CdUDquiEEWcTqLtLp/JNNCegdacC+v 6S8sP2wiPjWaQXiHAe6bkvZzCmWAS4WRCcJFQ= Received: by 10.216.177.82 with SMTP id c60mr1112366wem.25.1268239326871; Wed, 10 Mar 2010 08:42:06 -0800 (PST) Received: from [10.0.0.7] (91-115-211-122.adsl.highway.telekom.at [91.115.211.122]) by mx.google.com with ESMTPS id t12sm21970759gvd.7.2010.03.10.08.42.05 (version=SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 08:42:06 -0800 (PST) Message-ID: <4B97AB28.8060403@gmail.com> Date: Wed, 10 Mar 2010 15:22:32 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 10 Mar 2010 17:17:25 +0000 Subject: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 17:13:01 -0000 online cheksum verification for FreeBSD I believe it would be highly desireable to have an online md5sum verification for FreeBSD as this is already implemented by checkroot (http://www.elstel.com/checkroot/) for openSUSE. This is often the only way to spot an intrusion. Keeping external md5sum lists is very tedious and error prone as soon as you want to apply updates. You need to fully verify your system before every single update because otherwise you may store the checksums of files that have already been altered by intruders. Forgetting this once makes any further checks useless i.e. you would have to install from scratch. Does anyone know whether a similar tool could be implemented for FreeBSD? The only thing that I have found about it is: "DS Compare the system against a "known good" index of the installed release.'" However this known good index would need to be stored on a FreeBSD server because everything that is stored locally can be altered by an intruder. In the case of openSUSE it is sufficient to download the package headers of all installed packages because they contain the md5sums of the files that are installed. Keeping md5sum lists on a server would be an alternative solution as proposed in https://features.opensuse.org/306508. For those of us who are building their own ports something like the openSUSE build service for FreeBSD (https://features.opensuse.org/308617) could leverage the usage of such a security tool for all packages although checking the core packages will be most important so far in order to detect rootkits (which are not publicly known so far). Best Regards, Elmar P.S.: Please do also send responses to my email as I am not subscribed yet.