Date: Tue, 11 Jul 2006 15:41:33 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: Integrity checking NANOBSD images Message-ID: <6.2.3.4.0.20060711142809.04a6f8e0@64.7.153.2>
next in thread | raw e-mail | index | archive | help
We have a number of Soekris devices that we will be deploying remotely in semi- hostile physical environments. The remote links are dialup so I dont have a lot of bandwidth available. I want to do integrity checks of the images so that I can detect any tampering of the flash image. If I upload a static sha256 binary to /tmp on the remote box (which is a RAM disk) and then do something like e.g. # ssh remote1.example.com "mkdir /tmp/rand-directory" # scp /usr/local/bin/sha256 remote1.example.com:/tmp/rand-directory/sha256 # scp /usr/local/bin/dd remote1.example.com:/tmp/rand-directory/dd # ssh remote1.example.com "/tmp/rand-directory/dd if=/dev/ad2s1a bs=4096k | /tmp/rand-directory/sha256" 120+1 records in 120+1 records out 505389056 bytes transferred in 169.727727 secs (2977646 bytes/sec) 955ebad583bfc0718eb28ac89563941407294d5c61a0c0f35e3773f029cc0685 Can I be reasonably certain the image has not been tampered with ? Or are there trivial ways to defeat this check ? The flash is always mounted read-only, so in theory nothing should change with it. Or do I need to cram on tripwire or similar programs onto the nanobsd image ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20060711142809.04a6f8e0>