From owner-freebsd-pkg@freebsd.org Mon Apr 18 10:29:42 2016 Return-Path: Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5847DB124B2 for ; Mon, 18 Apr 2016 10:29:42 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DE9F01A5C for ; Mon, 18 Apr 2016 10:29:41 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D4B0411B10 for ; Mon, 18 Apr 2016 10:29:38 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/D4B0411B10; dkim=none; dkim-atps=neutral To: freebsd-pkg@freebsd.org From: Matthew Seaman Subject: Intrusion Detection using pkg? Message-ID: Date: Mon, 18 Apr 2016 11:29:31 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg" X-Virus-Scanned: clamav-milter 0.99.1 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2016 10:29:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg Content-Type: multipart/mixed; boundary="H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E" From: Matthew Seaman To: freebsd-pkg@freebsd.org Message-ID: Subject: Intrusion Detection using pkg? --H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dear all, Has anybody been thinking about using pkg(8) as part of a host-based intrusion detection system? Particularly considering the impending switch to packaged base for 11.0-RELEASE. pkg(8) metadata contains the sha256 checksum of every file it has installed except for certain config files that the usr is expected to modify themselves. Running 'pkg check -sa' should detect anything that has been modified since it was installed. That's basically what a program like tripwire does. Unfortunately it's also very simple to run 'pkg check -ra' which would hide any local modifications. (The assumption here is that the system has already been compromised; the idea is to make sure that compromise doesn't go undetected.) What is needed is a secured mechanism to compare checksums against a tamper-proof (preferably off-line) store. We could pull the checksum data out of the signed package tarballs downloaded from the repo each time we wanted to run a secure check, but that depends on anyone not running 'pkg clean -a' or else that precise package still being available from the repo. Plus it's a lot of work to do that /every/ time we want to scan for changes. We don't, as far as I can tell, have any way of cryptographically verifying that package metadata, once loaded into a repo catalogue or the local package DB, has not subsequently been altered. That would entail something like creating a detached signature for every file in each installed package, which is just the file checksum encrypted using a trusted key-pair. It should be possible to generate that data on a package building system, but I don't know if the extra system load and increased size of package metadata makes the whole idea a non-starter. Thoughts? Cheers, Matthew --H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E-- --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXFLcLAAoJEABRPxDgqeTnemwP/23te0e6G6/6vHWpA6MsdUV8 /utBH5jJw4Q+Sz9xYQJvm70aJ0O5I5iFYE50zsf8ynuVaRGweMQt+MImAONfvWIC bF5oBJWow4F8c3Y2pl+w70bcsLbIekJt1DW/0yPXbhHFFEAV1AolKzFJc4WENU3T VpSwbdCPRePOIC8q7+mT/3WaLxfKNU1xOvsckmcVuFfuR59niD+IzFcgki5Uo2Ra fQJQZ8BiRC0Hp/DInnOxlWVZQkVXYsKTPluq/EjxHHAPFuTZXLJ0KuDY8B1WEGog WdNavXzsKyd7Sy6gJoaNLjjW3CiDoYgZTz2ZBH/YswDdG47pnJ4Ub7uLZQ/072/w xEQGuBguThc2SaIrIDoiulkP9TRLtjbVh+U6hfjF4Z/BBAyOjg1PH1hJoFVmtLCE mb+FjG1pbA5TEC+tqXyzWW/vbbTZv83CQDYSrofbUgF1TE7nKfn0NLXvlXCF9wF1 Q3pMmj9Yk6e5c31G9/q7qEoZFVEQjeNTB1NvgJq2r2yxYXEBheSL/2hgsqVVjHiS laraKjEFe33jbHQgGo4O+c2BDhaPj+VXMycRtihnL2e7fOpfaLO1PzvowzvHmeIE zDhfTZGRGD+bgTqrNFGFLrQaXGsN1f3f03TUZW6Q73nPPVyZOX4qzIt55GCD4GcO xqNAyNk5drsW94w82kue =q+Eq -----END PGP SIGNATURE----- --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg--