From owner-freebsd-security@freebsd.org Fri Feb 26 05:50:40 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC0A4AB42DE for ; Fri, 26 Feb 2016 05:50:40 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8EBD5F4B for ; Fri, 26 Feb 2016 05:50:40 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-pf0-x22d.google.com with SMTP id x65so46203566pfb.1 for ; Thu, 25 Feb 2016 21:50:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:cc:subject:references:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=ht4DyhAmHpvUkwkjnGx1+0Qz27+Z7IhSWovhsoXJnpM=; b=pCyQV95sx+L1fGaOBphp7N/yUYxvog0DCw8XiXhNFN5d7QnheCnubrUYzBYMj2NB1+ 4IyX+Pe9VCdLWI2bktHuAXQ8zFRT2ITZsjseiLWkuq+iCjvi4CASiV8ET59lK1GQ6AIB kiaSEzCC3GNCDTy/SuhBBAKdX2UIwuidD4pcgIiSNvpxtS0TS/T+TZp5MMJpidkiO+tI 1C7DrpnbjXs0+6RlyH9dfi0RKLWjKq4GVGQq8sJ0nEHflXXgQIp01kdyjnAk0L5BpGNj nQ2vU0g8EjevLEH2X8zIDoCzGZfWfCSgTtI0Bgb9/m3nINhAykA+PQ5U1ms+5INsPj+e Lf/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:cc:subject:references:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=ht4DyhAmHpvUkwkjnGx1+0Qz27+Z7IhSWovhsoXJnpM=; b=azLxXD2cUV59hHd/E0pNSE66gihKPzK407mCLCljSOW0w44thNDI5RhA0cdiMrbjXF plnwh/jpXPJ50LV31AAM8Jw4nH5tjGDJw4hiYaKOzbN14q5A81MMyudqmw9/WYoq8ThL SYI2K49AehprUIrVGDrRSLkg5IO3JJITtO0fUH1XIkRoYRykSp5DonAHSf1rgYhrO6Cf I5xVaPI7xxpVVFGcRJhtAmBSG6Nz29wt3vS5ZDHoF0pMLzgi0FmWYgH0/uH2yVt/8c88 SdMEPvUYAhGfJhujd0kxwDpwWp9X8dQ2pg6WA9Vv7k4e3ZLeAY9ThM+i34Sp7qp63do/ ILnQ== X-Gm-Message-State: AG10YOQt+8/9BfBZNOnXxlGHUnFpNodPYEEHI5IrkxUH6v5uVLuPvu548Ivin6TM7TqDZw== X-Received: by 10.98.14.146 with SMTP id 18mr68870655pfo.35.1456465840043; Thu, 25 Feb 2016 21:50:40 -0800 (PST) Received: from [192.168.1.116] (c-50-156-112-176.hsd1.ca.comcast.net. [50.156.112.176]) by smtp.googlemail.com with ESMTPSA id a21sm16083495pfj.40.2016.02.25.21.50.38 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 25 Feb 2016 21:50:38 -0800 (PST) From: Robert Ayrapetyan Cc: freebsd-security@freebsd.org Subject: Re: verify FreeBSD installation References: <56CD2EE3.5080009@gmail.com> Message-ID: <56CFE7AE.3080507@gmail.com> Date: Thu, 25 Feb 2016 21:50:38 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 05:50:40 -0000 Yeah, finally I've decided to re-install from an official iso. I've found some services in crontab I didn't liked at all - they were submitting a lot of info to a third-party servers (officially for monitoring purposes). p.s. Under "instance" I mean a dedicated unmanaged server. On 02/24/16 22:03, Terje Elde wrote: > > > > On 24 Feb 2016, at 05:17, Robert Ayrapetyan wrote: > > > > Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? Does FreeBSD provides any automated tools for such kind of a verification? > > Just a quick note; if you suspect malicious intent from a competent attacker (your provider in this case), running an IDS-type check won't do. It's possible to use a kernel-module that omits itself when you're looking at the file system after boot for example, so it'd be invisible or look normal when checking the filesystem. > > Since you say "instance", I'm thinking probably VPS, in which case there needs to be a level of trust in the provider anyway, and this probably doesn't apply to you. Just wanted to mention it quickly as an apropos. > > Terje >