From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 19:38:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D17A51065675 for ; Wed, 10 Mar 2010 19:38:10 +0000 (UTC) (envelope-from elmstel@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 647558FC26 for ; Wed, 10 Mar 2010 19:38:10 +0000 (UTC) Received: by wwb24 with SMTP id 24so1543472wwb.13 for ; Wed, 10 Mar 2010 11:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=vkfUfVuQrdxjXnFvquKh28ZYseeIfptAUZ+m/PHELp0=; b=KoeXFvQ/uSvVa5Bf0nOyD0cjJD57vqRvu0oe2W8ABTv9lDehm51AcwPCVhVW6RC8GD U5LGFGm35FWDuS/FhPrYiLJklFDUkhlhSrvPCgQ6D/mAk5gexm/b8eEINFNWN/qZojyQ Rv7B0IDJzNokpLVoieVLitoBFoNubzMt9WNEU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=ZAv4DOMB8u7pJtGUI6tq9nzjggKZmCkjIRvY70RoCWsf/tfQH8Yxt+dTY/s1NdYzcD S1U3w26attthXunlTwUa4pFlLocpYCP8+FMP4vhtoemjWyWcH+C1+rZiqicuh+haSsoY 3Dh0849GpD+u+tR/VShn3+giELqK7TVLhTKsY= Received: by 10.216.88.10 with SMTP id z10mr1300869wee.108.1268249889169; Wed, 10 Mar 2010 11:38:09 -0800 (PST) Received: from [10.0.0.7] (93-82-70-102.adsl.highway.telekom.at [93.82.70.102]) by mx.google.com with ESMTPS id q9sm23053213gve.24.2010.03.10.11.38.07 (version=SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 11:38:08 -0800 (PST) Message-ID: <4B97C1D1.7050209@gmail.com> Date: Wed, 10 Mar 2010 16:59:13 +0100 From: Elmar Stellnberger User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Peter Jeremy References: <4B97AB28.8060403@gmail.com> <20100310185328.GD37825@server.vk2pj.dyndns.org> In-Reply-To: <20100310185328.GD37825@server.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 10 Mar 2010 20:07:56 +0000 Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 19:38:11 -0000 >> The only thing that I have found about it is: >> "DS Compare the system against a "known good" index of the installed >> release.'" > > As well as freebsd-update(8), the FreeBSD base system includes > mtree(8) - which can be used to generate and check file hashes. Other > tools, such as tripwire, are available in the ports tree. > As far as I am informed freebsd generates the checksums right after installation. However this is absolutely useless for a tool like checkroot that aims at an online checksum verification. > On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger wrote: >> I believe it would be highly desireable to have an online md5sum >> verification for FreeBSD as this is already implemented by checkroot >> (http://www.elstel.com/checkroot/) for openSUSE. > > You are welcome to adapt your tool to support FreeBSD and have it > included in the ports system. Could anyone help me in how to obtain online cheksums (md5 or better sha1) for the files of every installed package? > > That said, it's unclear that your tool offers any benefits over > the freebsd-update(8) tool that is part of the FreeBSD base system. > You seem to be really ignorant about the issues I have pointed out about online/offline cheksums: * offline cheksums require some security tool having been installed in advance. Most users simply don`t have tripwire or sth. else installed but are nonetheless possible targets for crackers. * offline cheksums are very tedious to maintain: They require a full system verification in advance to any new update being followed by a new checksum backup If you just forget that once you can throw your system away. Now do also think about applying a single update or about updating regularely which should be recommended for reasons of security. > Note that an > intruder could equally easily modify the checkroot executable unless > it is also stored on read-only media. Yes I have clearly pointed this out on my web site. The tool will of course not be useful as long as it is not invoked fromout of a boot CD. Concerning me I do always have a current boot CD handy - and be it just for reinstalling the boot loader. > > I notice that your tool only appears to store MD5 hashes - I presume > you are aware that the MD5 algorithm has been shown to have a number > of weaknesses and is not recommended for new applications. This > is why FreeBSD has moved to using a combination of MD5 and SHA256. Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) for FreeBSD. For openSUSE I had to use what has been available.