Re: verify installed packages' binaries integrity ?
Stuart Henderson wrote on 18/12/08 21:14: On 2008-12-18, jul jul_...@yahoo.fr wrote: a small question, is there any way to check integrity of installed packages'binaries ? yes, by (ab)using pkg_create: for i in `find /var/db/pkg -name +CONTENTS`; do pkg_create -nf $i /dev/null done exactly, what i want. thanks a lot stuart for archives, seriously and as said before, it's only one step in investigation. it doesn't replace a dd + forensic analysis for a compromised host. But when you are suspicious and there is no mtree/samhain/aide/else, it helps.
Re: verify installed packages' binaries integrity ?
Try: pkg_delete -n /var/db/pkg/* Look for any lines mentioning failes are missing or files have the wrong hash. For example, I added a '.' to README.OpenBSD in qemu: $ pkg_delete -n qemu /usr/sbin/pkg_delete should be run as root Pretending to delete qemu-0.9.1p4 Problem: checksum doesn't match for /usr/local/share/doc/qemu/README.OpenBSD NOT deleting: /usr/local/share/doc/qemu/README.OpenBSD remove dependency on sdl-1.2.13p6 --- qemu-0.9.1p4 --- Couldn't delete /usr/local/share/doc/qemu/README.OpenBSD (bad checksum) Problem being, regardless the os, unless you boot from clean media and execute no binaries etc from the compromised system's disk or any other files the compromised system has access to, you really can never trust anything you see or any programs you run. So, the above is only valid if you want to check for disk corruption, really. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by jul on 20081219 20:08.11, we have: | Stuart Henderson wrote on 18/12/08 21:14: | On 2008-12-18, jul jul_...@yahoo.fr wrote: | a small question, is there any way to check integrity of installed | packages'binaries ? | | yes, by (ab)using pkg_create: | | for i in `find /var/db/pkg -name +CONTENTS`; do | pkg_create -nf $i /dev/null | done | | | exactly, what i want. | | thanks a lot stuart | | for archives, seriously and as said before, it's only one step in | investigation. it doesn't replace a dd + forensic analysis for a | compromised host. | But when you are suspicious and there is no mtree/samhain/aide/else, it | helps.
verify installed packages' binaries integrity ?
(Note: it is not related to packages integrity when installing) a small question, is there any way to check integrity of installed packages'binaries ? i explain: in the case, i fear my host is compromised and i forgot or have corrupted mtree files, can i ask pkg manager to say if any referenced file has a different checksums than recorded. (+CONTENTS file has md5 and size) i know, this does not concern any base binaries which are the stuff that matter the most, but else ... If no mtree, i think the last option is comparing with binaries from CD hoping they didn't changed. thanks Regards
Re: verify installed packages' binaries integrity ?
Hi all. i think, that, you can use chkrootkit for this, you can see more about this software in their home page or in google. if you want to know more about this software, see the home page: http://www.chkrootkit.org/ bye. 2008/12/18, jul jul_...@yahoo.fr: (Note: it is not related to packages integrity when installing) a small question, is there any way to check integrity of installed packages'binaries ? i explain: in the case, i fear my host is compromised and i forgot or have corrupted mtree files, can i ask pkg manager to say if any referenced file has a different checksums than recorded. (+CONTENTS file has md5 and size) i know, this does not concern any base binaries which are the stuff that matter the most, but else ... If no mtree, i think the last option is comparing with binaries from CD hoping they didn't changed. thanks Regards
Re: verify installed packages' binaries integrity ?
Hi again. Well, reading the file $PORTSDIR/infrastructure/mk/bsd.port.mk, i can see that you can get if a binarie is compromised by: cksum -b -a sha256 /usr/local/bin/program and see if this is equal to the +CONTETS file, if not, then, the binary maybe compromised ( i think, but not sure ). Sorry for my bad english. bye. 2008/12/18, Guillermo Bernaldo de Quiros Maraver debug...@gmail.com: Hi all. i think, that, you can use chkrootkit for this, you can see more about this software in their home page or in google. if you want to know more about this software, see the home page: http://www.chkrootkit.org/ bye. 2008/12/18, jul jul_...@yahoo.fr: (Note: it is not related to packages integrity when installing) a small question, is there any way to check integrity of installed packages'binaries ? i explain: in the case, i fear my host is compromised and i forgot or have corrupted mtree files, can i ask pkg manager to say if any referenced file has a different checksums than recorded. (+CONTENTS file has md5 and size) i know, this does not concern any base binaries which are the stuff that matter the most, but else ... If no mtree, i think the last option is comparing with binaries from CD hoping they didn't changed. thanks Regards
Re: verify installed packages' binaries integrity ?
Guillermo Bernaldo de Quiros Maraver wrote on 18/12/08 20:30: i think, that, you can use chkrootkit for this, you can see more about this software in their home page or in google. thanks, but that's not what i am looking for. chkrootkit checks only a known list of binaries (mostly base i think) to see if there is a trace of infection. i'm looking to check if stuff installed on the machine has been changed. it's really about a local step on packages' binaries integrity to confirm or not suspicion of compromission. after you can compare to distant referenced packages, dd disk and forensic it. Regards
Re: verify installed packages' binaries integrity ?
On 2008-12-18, jul jul_...@yahoo.fr wrote: a small question, is there any way to check integrity of installed packages'binaries ? yes, by (ab)using pkg_create: for i in `find /var/db/pkg -name +CONTENTS`; do pkg_create -nf $i /dev/null done
Re: verify installed packages' binaries integrity ?
On Thu, Dec 18, 2008 at 08:48:12PM +0100, Guillermo Bernaldo de Quiros Maraver wrote: | Hi again. | | Well, reading the file $PORTSDIR/infrastructure/mk/bsd.port.mk, i can | see that you can get if a binarie is compromised by: | | cksum -b -a sha256 /usr/local/bin/program and see if this is equal to | the +CONTETS file, if not, then, the binary maybe compromised ( i | think, but not sure ). So if I break into your machine, I have to remember fixing all the +CONTENTS files for any local binaries I've changed ? And you're going to check this with the tools that are already there ? Maybe that's an easier solution then, I'll just let it ignore whatever I have changed. Seriously, if you suspect a machine to have been compromised, take it offline, create an image of the filesystems on the disk (making sure never to write to the disk) for later analysis perhaps but afterwards *completely* wipe it, reinstall and restore from your backups. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: verify installed packages' binaries integrity ?
On Thu, Dec 18, 2008 at 08:04:05PM +0100, jul spoke thusly: (Note: it is not related to packages integrity when installing) a small question, is there any way to check integrity of installed packages'binaries ? i explain: in the case, i fear my host is compromised and i forgot or have corrupted mtree files, can i ask pkg manager to say if any referenced file has a different checksums than recorded. (+CONTENTS file has md5 and size) i know, this does not concern any base binaries which are the stuff that matter the most, but else ... If no mtree, i think the last option is comparing with binaries from CD hoping they didn't changed. thanks Regards A simple alternative way to check the integrity of files is at: https://calomel.org/ids_mtree.html I use ids.sh out of a nightly cronjob cuss myself out every time I forget to run the script with 'generate' after changing something, as it doesn't miss anything. At least it hasn't yet. ;) And the plus is, it's done with mtree which is in base instead of using something third-party having to fart around with another conf file. Denny White -- /\ASCII Ribbon Campaign \ /Respect for low technology. X Keep e-mail messages readable by any computer system. / \Keep it ASCII. === GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A ===
