Date: Tue, 11 Jul 2006 15:41:33 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: Integrity checking NANOBSD images Message-ID: <6.2.3.4.0.20060711142809.04a6f8e0@64.7.153.2>
next in thread | raw e-mail | index | archive | help
We have a number of Soekris devices that we will be deploying
remotely in semi- hostile physical environments. The remote links
are dialup so I dont have a lot of bandwidth available. I want to do
integrity checks of the images so that I can detect any tampering of
the flash image.
If I upload a static sha256 binary to /tmp on the remote box (which
is a RAM disk) and then do something like
e.g.
# ssh remote1.example.com "mkdir /tmp/rand-directory"
# scp /usr/local/bin/sha256 remote1.example.com:/tmp/rand-directory/sha256
# scp /usr/local/bin/dd remote1.example.com:/tmp/rand-directory/dd
# ssh remote1.example.com "/tmp/rand-directory/dd if=/dev/ad2s1a
bs=4096k | /tmp/rand-directory/sha256"
120+1 records in
120+1 records out
505389056 bytes transferred in 169.727727 secs (2977646 bytes/sec)
955ebad583bfc0718eb28ac89563941407294d5c61a0c0f35e3773f029cc0685
Can I be reasonably certain the image has not been tampered with
? Or are there trivial ways to defeat this check ?
The flash is always mounted read-only, so in theory nothing should
change with it. Or do I need to cram on tripwire or similar programs
onto the nanobsd image ?
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20060711142809.04a6f8e0>