online cheksum verification for FreeBSD
julian at elischer.org
Wed Mar 10 23:31:50 UTC 2010
Elmar Stellnberger wrote:
>>> The only thing that I have found about it is:
>>> "DS Compare the system against a "known good" index of the installed
>> As well as freebsd-update(8), the FreeBSD base system includes
>> mtree(8) - which can be used to generate and check file hashes. Other
>> tools, such as tripwire, are available in the ports tree.
> As far as I am informed freebsd generates the checksums right after
> installation. However this is absolutely useless for a tool like
> checkroot that aims at an online checksum verification.
>> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel at gmail.com>
>>> I believe it would be highly desireable to have an online md5sum
>>> verification for FreeBSD as this is already implemented by checkroot
>>> (http://www.elstel.com/checkroot/) for openSUSE.
>> You are welcome to adapt your tool to support FreeBSD and have it
>> included in the ports system.
> Could anyone help me in how to obtain online cheksums (md5 or better
> sha1) for the files of every installed package?
>> That said, it's unclear that your tool offers any benefits over
>> the freebsd-update(8) tool that is part of the FreeBSD base system.
> You seem to be really ignorant about the issues I have pointed out about
> online/offline cheksums:
> * offline cheksums require some security tool having been installed in
> Most users simply don`t have tripwire or sth. else installed but are
> possible targets for crackers.
> * offline cheksums are very tedious to maintain:
> They require a full system verification in advance to any new update
> being followed
> by a new checksum backup
> If you just forget that once you can throw your system away.
> Now do also think about applying a single update or about updating
> which should be recommended for reasons of security.
>> Note that an
>> intruder could equally easily modify the checkroot executable unless
>> it is also stored on read-only media.
> Yes I have clearly pointed this out on my web site. The tool will of
> course not be useful as long as it is not invoked fromout of a boot CD.
> Concerning me I do always have a current boot CD handy - and be it just
> for reinstalling the boot loader.
>> I notice that your tool only appears to store MD5 hashes - I presume
>> you are aware that the MD5 algorithm has been shown to have a number
>> of weaknesses and is not recommended for new applications. This
>> is why FreeBSD has moved to using a combination of MD5 and SHA256.
> Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5)
> for FreeBSD.
> For openSUSE I had to use what has been available.
> freebsd-security at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
all that is not to say it's a bad idea, just that people
are interested to see what the advantages are etc.
More information about the freebsd-security