Re: Root Kit Protection

To: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: Root Kit Protection
From: Marc Martinez <lastxit@technogeeks.org>
Date: Wed, 16 Feb 2000 16:56:01 -0800
Message-id: <20000216165601.B18626@wetware.technogeeks.org>
In-reply-to: <EDFD2A95EE7DD31187350090279C67674AB178@THRESHER>; from brent.fulgham@xpsystems.com on Wed, Feb 16, 2000 at 04:27:52PM -0800
References: <EDFD2A95EE7DD31187350090279C67674AB178@THRESHER>

On Wed, Feb 16, 2000 at 04:27:52PM -0800, Brent Fulgham wrote:
> All of this DOS stuff lately has gotten me thinking about security, and
> in particular "root kits".
> 
> I was wondering if it might make sense to have a system daemon that checked
> the versions of programs on the system against a "trusted" version table.

Yet another daemon?  Good for the truly paranoid, but maybe overkill on some
systems, where a periodic cron job would likely suffice.

> Perhaps this could be something that was built into the "Packages" file
> as an additional data point (MD5 Sum: blah blah blah).

In the "Packages" file?  I don't wouldn't help much, as it would require
keeping the original .deb's around to verify against, and even that wouldn't
necessarily reflect the installed system binarys.

> Then a cron job could run weekly/daily/hourly that checked the MD5 sum of
> /bin/sh against the one in the Packages file, libc6, etc.  Perhaps Packages
> could
> be "signed" to avoid tampering.

this might be nice for mirror verification..

> Does this sound like it might be useful at all?  It's roughly the same as
> tripwire or its ilk, but the auditing would be "pre-processed" such that you
> don't have to build the "before" database on your system -- it get's updated
> each time you install/upgrade Debian.

In general principle yes it does, and I've been mulling about for awhile now
trying to think of a good solution to use.  The main problem as I see it is
that while we have the "debsums" package not every package makes use of it. 
Doing some testing with "swim" is what really caught my eye in this area, I
ran some verifications on a couple of packages, all md5 sums passed, and
also on lilo, in which case /sbin/lilo failed out as I expected it to, since
I have it dpkg-divert'ed and replaced with a perl script to update my grub
menu file (much more convenient when installing kernel pkgs).  Inspired by
this I started running over a bunch more "system critical" packages, and
then noticed that not every package includes the md5 hashes for its files,
effectively collapsing my intended strategy (cron job that parses md5 sums
for a list of chosen packages, and reports failures).  So I've toyed about
with the idea that I could run over and generate md5 sums, but upgrading
then becomes a big mess, and there's really no way to verify that what I
originally downloaded was what was originally uploaded.  So, IMHO it would
be *nice* if policy made some mention of md5 sums for system accounting
purposes, but not being a registered developer I haven't brought the issue
up on -policy or anything, I'm curious to hear what others think of the
situation.

Marc

Reply to:

References:
- Root Kit Protection
  - From: Brent Fulgham <brent.fulgham@xpsystems.com>

Prev by Date: Re: Root Kit Protection
Next by Date: Re: Uploaded t-code 1:2.0beta6c-2 (source i386) to master
Previous by thread: Re: Root Kit Protection
Next by thread: Re: Root Kit Protection
Index(es):
- Date
- Thread