From owner-freebsd-security Thu Nov 15 1:29:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id 053DC37B416 for ; Thu, 15 Nov 2001 01:29:10 -0800 (PST) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0GMU0020150HFX@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 15 Nov 2001 10:29:08 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.63.4]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0GMU00FG850GKC@mailhub.unibe.ch>; Thu, 15 Nov 2001 10:29:05 +0100 (MET) Received: from roy.unibe.ch (roy [130.92.63.46]) by iamexwi.unibe.ch (8.9.3+Sun/8.8.8) with ESMTP id KAA27659; Thu, 15 Nov 2001 10:29:05 +0100 (MET) Received: (from roth@localhost) by roy.unibe.ch (8.10.2+Sun/8.10.2) id fAF9T1H09264; Thu, 15 Nov 2001 10:29:01 +0100 (MET) Date: Thu, 15 Nov 2001 10:29:01 +0100 From: Tobias Roth Subject: Re: Spoofing file information? In-reply-to: ; from sdeburgh@rescuegroup.com on Thu, Nov 15, 2001 at 04:31:49PM +0800 To: Shaun De Burgh Cc: freebsd-security@freebsd.org Message-id: <20011115102901.A9254@roy.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Even root cannot remount a cd-rom in rw mode ;) But seriously, that depends on the secure level of the system, man init for explanations. On Thu, Nov 15, 2001 at 04:31:49PM +0800, Shaun De Burgh wrote: > if the intruder gained root access to your system, couldnt he remount the file system's in rw mode, and modify the binary, or does freebsd prevent that from occuring. > > >>> Tobias Roth 11/15/01 04:24pm >>> > you run a generic kernel, not a customized one? ;) > > no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. > As for file modification dates, man touch. > > So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: > > 1. the md5 binary is has not been modified > 2. the checksums you made and to which you are comparing haven't been modified > > you can achieve this for instance by having both the binary and the checksums on a read only medium. > > cheers, Tobe > > > > On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > > Dear All, > > > > how easy/difficult would it be for an intruder to spoof file modification > > dates and sizes (i.e. the data which show up in an "ls -al")? > > > > I have e.g. in my root directory: > > /kernel (3258128 Nov 20 2000) > > /kernel.GENERIC (3258128 Nov 20 2000) > > Can I trust, that those are identical files (i.e. the kernel is still > > intact), even if somebody intruded? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ------------------------------------------------------ Tobias Roth Phone: +41 31 305 96 29 Buchenweg 22 +41 76 345 66 47 3012 Bern email: caffeine@insomniac.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message