Date: Thu, 11 Mar 2010 06:35:49 +0100 From: Elmar Stellnberger <elmstel@gmail.com> To: freebsd-security@freebsd.org Cc: Julian Elischer <julian@elischer.org> Subject: Re: online cheksum verification for FreeBSD Message-ID: <4B988135.9030807@gmail.com> In-Reply-To: <4B9826B7.1080304@elischer.org> References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> <4B97C1D1.7050209@gmail.com> <4B9826B7.1080304@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer schrieb: > Elmar Stellnberger wrote: >>>> The only thing that I have found about it is: >>>> "DS Compare the system against a "known good" index of the installed >>>> release.'" >>> As well as freebsd-update(8), the FreeBSD base system includes >>> mtree(8) - which can be used to generate and check file hashes. Other >>> tools, such as tripwire, are available in the ports tree. >>> >> >> As far as I am informed freebsd generates the checksums right after >> installation. However this is absolutely useless for a tool like >> checkroot that aims at an online checksum verification. >> >> >>> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel@gmail.com> >> wrote: >>>> I believe it would be highly desireable to have an online md5sum >>>> verification for FreeBSD as this is already implemented by checkroot >>>> (http://www.elstel.com/checkroot/) for openSUSE. >>> You are welcome to adapt your tool to support FreeBSD and have it >>> included in the ports system. >> >> Could anyone help me in how to obtain online cheksums (md5 or better >> sha1) for the files of every installed package? >> >> >>> That said, it's unclear that your tool offers any benefits over >>> the freebsd-update(8) tool that is part of the FreeBSD base system. >>> >> >> You seem to be really ignorant about the issues I have pointed out about >> online/offline cheksums: >> * offline cheksums require some security tool having been installed in >> advance. >> Most users simply don`t have tripwire or sth. else installed but are >> nonetheless >> possible targets for crackers. >> * offline cheksums are very tedious to maintain: >> They require a full system verification in advance to any new update >> being followed >> by a new checksum backup >> If you just forget that once you can throw your system away. >> Now do also think about applying a single update or about updating >> regularely >> which should be recommended for reasons of security. >> >> >>> Note that an >>> intruder could equally easily modify the checkroot executable unless >>> it is also stored on read-only media. >> >> Yes I have clearly pointed this out on my web site. The tool will of >> course not be useful as long as it is not invoked fromout of a boot CD. >> Concerning me I do always have a current boot CD handy - and be it just >> for reinstalling the boot loader. >> >> >>> I notice that your tool only appears to store MD5 hashes - I presume >>> you are aware that the MD5 algorithm has been shown to have a number >>> of weaknesses and is not recommended for new applications. This >>> is why FreeBSD has moved to using a combination of MD5 and SHA256. >> >> Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) >> for FreeBSD. >> For openSUSE I had to use what has been available. >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > all that is not to say it's a bad idea, just that people > are interested to see what the advantages are etc. > If one must not say that it is a bad idea then I would conclude the idea to be good. However ranting without giving reasons would really have been amiss. Those of us who want to crack into the systems of innocent users will of course not welcome the tool because it gives them a viable way to defend. To me there is simply no alternative to an online cheksum verification due to its clear advantages. It is a crucial issue which needs to get resolved before I start to deploy FreeBSD on my production systems and before I may decide to engage further in the development of FreeBSD (kernel, fs, power saving). I have received some valueable input from the openSUSE community beforehand implementing the checkroot tool for this OS. Can anyone in here help me or should I go on to ask on a mailing list that is better suited to package management issues (which one to choose? - freebsd-hackers?).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B988135.9030807>