Date: Mon, 18 Apr 2016 11:43:34 +0100 From: Vsevolod Stakhov <vsevolod@highsecure.ru> To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-pkg@freebsd.org Subject: Re: Intrusion Detection using pkg? Message-ID: <5714BA56.50704@highsecure.ru> In-Reply-To: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org> References: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18/04/2016 11:29, Matthew Seaman wrote: > Dear all, > > Has anybody been thinking about using pkg(8) as part of a host-based > intrusion detection system? Particularly considering the impending > switch to packaged base for 11.0-RELEASE. > > pkg(8) metadata contains the sha256 checksum of every file it has > installed except for certain config files that the usr is expected to > modify themselves. Running 'pkg check -sa' should detect anything that > has been modified since it was installed. That's basically what a > program like tripwire does. Unfortunately it's also very simple to run > 'pkg check -ra' which would hide any local modifications. (The > assumption here is that the system has already been compromised; the > idea is to make sure that compromise doesn't go undetected.) > > What is needed is a secured mechanism to compare checksums against a > tamper-proof (preferably off-line) store. We could pull the checksum > data out of the signed package tarballs downloaded from the repo each > time we wanted to run a secure check, but that depends on anyone not > running 'pkg clean -a' or else that precise package still being > available from the repo. Plus it's a lot of work to do that /every/ > time we want to scan for changes. > > We don't, as far as I can tell, have any way of cryptographically > verifying that package metadata, once loaded into a repo catalogue or > the local package DB, has not subsequently been altered. That would > entail something like creating a detached signature for every file in > each installed package, which is just the file checksum encrypted using > a trusted key-pair. It should be possible to generate that data on a > package building system, but I don't know if the extra system load and > increased size of package metadata makes the whole idea a non-starter. > > Thoughts? I don't like this idea: if an attacker has enough power to modify files on FS why he or she cannot do the same for checksums in pkg database? We need digital signatures and password protected private key. Then a user can type something like: pkg sign <- enter private key password followed by: pkg sign --check to verify the existing checksums Unfortunately, after years of useless discussion we have no sane signatures scheme in pkg, and I have no desire to continue these discussions I'm afraid. -- Vsevolod Stakhov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5714BA56.50704>