Re: Root Kit Protection

To: Ethan Benson <erbenson@alaska.net>
Cc: Brent Fulgham <brent.fulgham@xpsystems.com>, Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: Root Kit Protection
From: Mike Markley <mike@markley.org>
Date: Wed, 16 Feb 2000 21:55:21 -0500
Message-id: <20000216215521.A8509@madhack.com>

I've decided to go ahead and write someting like this in perl for my own
ease-of-use; it'll be GPL. The administration details are the interesting
part... I'd like to use the MD5 sums from /var/lib/dpkg/info/*.md5sums but
I'm really not sure how to ensure that these haven't been tampered with since
installation. Perhaps if we could integrate it with tools such as
dpg/apt/etc to add the necessary MD5sums to a configuration file and PGP
sign said file... however, PGP signing a file automatically would be very
difficult to automate. All of this is coming off the top of my head so I may
be missing a very obvious way to handle this; any input? It'd be much
appreciated...

In-Reply-To: <20000216173248.C27100@plato.localdomain.local>; from erbenson@alaska.net on Wed, Feb 16, 2000 at 05:32:48PM -0900

On Wed, Feb 16, 2000 at 05:32:48PM -0900, Ethan Benson wrote:
> On Wed, Feb 16, 2000 at 04:27:52PM -0800, Brent Fulgham wrote:
> > All of this DOS stuff lately has gotten me thinking about security, and
> > in particular "root kits".
> > 
> > I was wondering if it might make sense to have a system daemon that checked
> > the versions of programs on the system against a "trusted" version table.
> > Perhaps this could be something that was built into the "Packages" file
> > as an additional data point (MD5 Sum: blah blah blah).
> > 
> > Then a cron job could run weekly/daily/hourly that checked the MD5 sum of
> > /bin/sh against the one in the Packages file, libc6, etc.  Perhaps Packages
> > could
> > be "signed" to avoid tampering.
> > 
> > Does this sound like it might be useful at all?  It's roughly the same as
> > tripwire or its ilk, but the auditing would be "pre-processed" such that you
> > don't have to build the "before" database on your system -- it get's updated
> > each time you install/upgrade Debian.
> 
> sounds like tripwire but i would hope a Free software version, which
> last time i looked did not exist...
> 
> this would really be a great tool, if it were to play well with the
> dpkg system, things like tripwire become rather useless or impractical
> if you are following the unstable tree of debian since files on the
> system change nearly every day...
> 
> for the md5 databases they would certainly have to be
> cryptographically signed (GnuPG should be fine) and the utility used
> to do the verification should probably be statically linked and
> immutable, since if someone gets in and is aware of this system they
> could replace the auditor with a fake that would never do anything but
> return `hunky dory' status..  does linux have a kernel securelevel
> like the BSD's? so the immutable bit can be set but not removed
> without changing securelevels?  (i am only marginally familier with
> BSD secure levels, so correct me if they are pointless in this
> regard..) 
> 
> This is really a great idea IMO and should be explored further.
> 
> -- 
> Ethan Benson
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
Mike Markley <mike@markley.org>
PGP: 0xA9592D4D 62 A7 11 E2 23 AD 4F 57  27 05 1A 76 56 92 D5 F6
GPG: 0x3B047084 7FC7 0DC0 EF31 DF83 7313  FE2B 77A8 F36A 3B04 7084

Change is the essential process of all existence.
- Spock, "Let That Be Your Last Battlefield", stardate 5730.2

Reply to:

Follow-Ups:
- Re: Root Kit Protection
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: /dev/log
Next by Date: ITP: locale-th
Previous by thread: Re: Would somone be interested in packaging AIDE
Next by thread: Re: Root Kit Protection
Index(es):
- Date
- Thread