From owner-freebsd-pkg@freebsd.org  Mon Apr 18 10:43:47 2016
Return-Path: <owner-freebsd-pkg@freebsd.org>
Delivered-To: freebsd-pkg@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DB2FB12A99
 for <freebsd-pkg@mailman.ysv.freebsd.org>;
 Mon, 18 Apr 2016 10:43:47 +0000 (UTC)
 (envelope-from vsevolod@highsecure.ru)
Received: from mail.highsecure.ru (unknown [IPv6:2a01:4f8:190:43b5::99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E92E211FE;
 Mon, 18 Apr 2016 10:43:46 +0000 (UTC)
 (envelope-from vsevolod@highsecure.ru)
Received: from secret-bunker.localdomain (ukvpn.mimecast.com [205.217.25.186])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: vsevolod@highsecure.ru)
 by mail.highsecure.ru (Postfix) with ESMTPSA id 2439530057A;
 Mon, 18 Apr 2016 12:43:36 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by secret-bunker.localdomain (Postfix) with ESMTP id E9BB81C9C70E;
 Mon, 18 Apr 2016 11:43:34 +0100 (BST)
Subject: Re: Intrusion Detection using pkg?
To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-pkg@freebsd.org
References: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org>
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Message-ID: <5714BA56.50704@highsecure.ru>
Date: Mon, 18 Apr 2016 11:43:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0)
 Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=highsecure.ru; s=dkim;
 t=1460976216; bh=rkQSYFF/5cc43ZBnL6eFpRj9IIVkLGH5Bozs1ljkX4Y=;
 h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding;
 b=b4zy38HlHDMQYvLQAjNMwlwUGih2x+fS8uMboJ3COi0yGQl2lMG2KhbxC4a+MJHDwx2oF4vK8kLsAGQ4FsP4f1r24q1CvG0biMmGUFF2wxUfhJMaY7+aNt+zV0/gAZciPAD881t2Q8DoLjTtJP/folKN4ftA7pDmZGz50npbHWc=
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2016 10:43:47 -0000

On 18/04/2016 11:29, Matthew Seaman wrote:
> Dear all,
> 
> Has anybody been thinking about using pkg(8) as part of a host-based
> intrusion detection system?  Particularly considering the impending
> switch to packaged base for 11.0-RELEASE.
> 
> pkg(8) metadata contains the sha256 checksum of every file it has
> installed except for certain config files that the usr is expected to
> modify themselves.  Running 'pkg check -sa' should detect anything that
> has been modified since it was installed.  That's basically what a
> program like tripwire does.  Unfortunately it's also very simple to run
> 'pkg check -ra' which would hide any local modifications. (The
> assumption here is that the system has already been compromised; the
> idea is to make sure that compromise doesn't go undetected.)
> 
> What is needed is a secured mechanism to compare checksums against a
> tamper-proof (preferably off-line) store.  We could pull the checksum
> data out of the signed package tarballs downloaded from the repo each
> time we wanted to run a secure check, but that depends on anyone not
> running 'pkg clean -a' or else that precise package still being
> available from the repo.  Plus it's a lot of work to do that /every/
> time we want to scan for changes.
> 
> We don't, as far as I can tell, have any way of cryptographically
> verifying that package metadata, once loaded into a repo catalogue or
> the local package DB, has not subsequently been altered.  That would
> entail something like creating a detached signature for every file in
> each installed package, which is just the file checksum encrypted using
> a trusted key-pair.  It should be possible to generate that data on a
> package building system, but I don't know if the extra system load and
> increased size of package metadata makes the whole idea a non-starter.
> 
> Thoughts?

I don't like this idea: if an attacker has enough power to modify files
on FS why he or she cannot do the same for checksums in pkg database? We
need digital signatures and password protected private key. Then a user
can type something like:

pkg sign <- enter private key password

followed by:

pkg sign --check to verify the existing checksums

Unfortunately, after years of useless discussion we have no sane
signatures scheme in pkg, and I have no desire to continue these
discussions I'm afraid.

-- 
Vsevolod Stakhov