Re: Root Kit Protection
On Wed, Feb 16, 2000 at 09:55:21PM -0500, Mike Markley wrote:
> I've decided to go ahead and write someting like this in perl for my own
> ease-of-use; it'll be GPL. The administration details are the interesting
> part... I'd like to use the MD5 sums from /var/lib/dpkg/info/*.md5sums but
> I'm really not sure how to ensure that these haven't been tampered with since
> installation. Perhaps if we could integrate it with tools such as
> dpg/apt/etc to add the necessary MD5sums to a configuration file and PGP
> sign said file... however, PGP signing a file automatically would be very
> difficult to automate. All of this is coming off the top of my head so I may
> be missing a very obvious way to handle this; any input? It'd be much
> appreciated...
the md5sum database MUST be either 1) on immutable media (write
protected floppy, or CDROM) or 2) cryptographically signed with
GPG/PGP. the former is impossible to automate really since it
requires the user to make hardware modifications to save the
immutable database.
cryptographic signatures however i see being done one of three ways:
1) debian distributes a complete md5sum database of every single file
in the distribution signed by a single debian GnuPG key. this would
have to be redownloaded at every update (with apt-get update say) and
i would guess it would be HUGE.
2) each package has a md5sum list of every file it contains, this list
is signed by the maintainers GnuPG key. when a package is installed
this signed list is added to the system list. I think this might be
rather slow as a verifcation has to perform many separate signature
verifications (1000 packages installed 1000 GnuPG signutures to check
for each package list)
3) md5sums of all files are gathered together in a single database
(either by gathering the md5sums from the packages, or less preferably
scanning the disk) and that database is re signed every time its
updated by the administrator's private GnuPG key.
i think that 3 is really the only practical way to go. everything can
be automated up to asking for the admins GnuPG passphrase, and we
don't end up with yet another huge database/index to download.
somewhat related to this, i think that 3 improvments to the packaging
system would be benificial:
1: packages include GnuPG signatures to ensure they are genuine
(protect against mirror tampering etc.)
2: packages include a complete md5sum list of all files in the
package.
3: dpkg on package installation adds the package's md5sum list to the
system database, and (if configured to do so) asks for the GPG
passphrase to sign the database.
some other niceties this system could have:
a utility to scan and update a separate list of md5sums for
configuration files, configuration files are easy to find given they
are marked in the deb packages, since the admin likely alters
configuration files the debian md5sums will be rendered invalid, a way
for the admin to maintain a local md5sum database of the configuration
files will allow him to be alerted if something is altered without his
knowledge. (he would of course need to rerun this utility after every
config alteration)
a utility to take care of locally installed software in /usr/local
basically a tripwire that is Free software, but included as part of
the dpkg tripwire so that reports and scans are unified, avoiding the
need to maintain 2 separate and unrelated implementations of the same
thing.
I really think for this to be usefull it needs some hooks into the
packaging system, without those hooks you just end up with a tripwire
clone with all of its inconvenences intact.. (there may already be
such a clone its been awhile since i checked.)
--
Ethan Benson
Reply to: