From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 23:31:50 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8B11106564A for ; Wed, 10 Mar 2010 23:31:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-12.mx.aerioconnect.net [216.240.47.72]) by mx1.freebsd.org (Postfix) with ESMTP id 9A07F8FC1E for ; Wed, 10 Mar 2010 23:31:50 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o2AN9i2P014908; Wed, 10 Mar 2010 15:09:44 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 17E9E2D601F; Wed, 10 Mar 2010 15:09:44 -0800 (PST) Message-ID: <4B9826B7.1080304@elischer.org> Date: Wed, 10 Mar 2010 15:09:43 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Elmar Stellnberger References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> In-Reply-To: <4B97C1D1.7050209@gmail.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 X-Mailman-Approved-At: Thu, 11 Mar 2010 03:05:37 +0000 Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 23:31:50 -0000 Elmar Stellnberger wrote: >>> The only thing that I have found about it is: >>> "DS Compare the system against a "known good" index of the installed >>> release.'" >> As well as freebsd-update(8), the FreeBSD base system includes >> mtree(8) - which can be used to generate and check file hashes. Other >> tools, such as tripwire, are available in the ports tree. >> > > As far as I am informed freebsd generates the checksums right after > installation. However this is absolutely useless for a tool like > checkroot that aims at an online checksum verification. > > >> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger > wrote: >>> I believe it would be highly desireable to have an online md5sum >>> verification for FreeBSD as this is already implemented by checkroot >>> (http://www.elstel.com/checkroot/) for openSUSE. >> You are welcome to adapt your tool to support FreeBSD and have it >> included in the ports system. > > Could anyone help me in how to obtain online cheksums (md5 or better > sha1) for the files of every installed package? > > >> That said, it's unclear that your tool offers any benefits over >> the freebsd-update(8) tool that is part of the FreeBSD base system. >> > > You seem to be really ignorant about the issues I have pointed out about > online/offline cheksums: > * offline cheksums require some security tool having been installed in > advance. > Most users simply don`t have tripwire or sth. else installed but are > nonetheless > possible targets for crackers. > * offline cheksums are very tedious to maintain: > They require a full system verification in advance to any new update > being followed > by a new checksum backup > If you just forget that once you can throw your system away. > Now do also think about applying a single update or about updating > regularely > which should be recommended for reasons of security. > > >> Note that an >> intruder could equally easily modify the checkroot executable unless >> it is also stored on read-only media. > > Yes I have clearly pointed this out on my web site. The tool will of > course not be useful as long as it is not invoked fromout of a boot CD. > Concerning me I do always have a current boot CD handy - and be it just > for reinstalling the boot loader. > > >> I notice that your tool only appears to store MD5 hashes - I presume >> you are aware that the MD5 algorithm has been shown to have a number >> of weaknesses and is not recommended for new applications. This >> is why FreeBSD has moved to using a combination of MD5 and SHA256. > > Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) > for FreeBSD. > For openSUSE I had to use what has been available. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" all that is not to say it's a bad idea, just that people are interested to see what the advantages are etc.