Intrusion Detection using pkg?
Matthew Seaman
matthew at FreeBSD.org
Mon Apr 18 10:29:42 UTC 2016
Dear all,
Has anybody been thinking about using pkg(8) as part of a host-based
intrusion detection system? Particularly considering the impending
switch to packaged base for 11.0-RELEASE.
pkg(8) metadata contains the sha256 checksum of every file it has
installed except for certain config files that the usr is expected to
modify themselves. Running 'pkg check -sa' should detect anything that
has been modified since it was installed. That's basically what a
program like tripwire does. Unfortunately it's also very simple to run
'pkg check -ra' which would hide any local modifications. (The
assumption here is that the system has already been compromised; the
idea is to make sure that compromise doesn't go undetected.)
What is needed is a secured mechanism to compare checksums against a
tamper-proof (preferably off-line) store. We could pull the checksum
data out of the signed package tarballs downloaded from the repo each
time we wanted to run a secure check, but that depends on anyone not
running 'pkg clean -a' or else that precise package still being
available from the repo. Plus it's a lot of work to do that /every/
time we want to scan for changes.
We don't, as far as I can tell, have any way of cryptographically
verifying that package metadata, once loaded into a repo catalogue or
the local package DB, has not subsequently been altered. That would
entail something like creating a detached signature for every file in
each installed package, which is just the file checksum encrypted using
a trusted key-pair. It should be possible to generate that data on a
package building system, but I don't know if the extra system load and
increased size of package metadata makes the whole idea a non-starter.
Thoughts?
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20160418/b0bf5d56/attachment.sig>
More information about the freebsd-pkg
mailing list