online cheksum verification for FreeBSD
    Elmar Stellnberger 
    elmstel at gmail.com
       
    Wed Mar 10 19:38:11 UTC 2010
    
    
  
>> The only thing that I have found about it is:
>> "DS   Compare the system against a "known good" index of the installed
>> release.'"
>
> As well as freebsd-update(8), the FreeBSD base system includes
> mtree(8) - which can be used to generate and check file hashes.  Other
> tools, such as tripwire, are available in the ports tree.
>
As far as I am informed freebsd generates the checksums right after
installation. However this is absolutely useless for a tool like
checkroot that aims at an online checksum verification.
> On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel at gmail.com>
wrote:
>>  I believe it would be highly desireable to have an online md5sum
>> verification for FreeBSD as this is already implemented by checkroot
>> (http://www.elstel.com/checkroot/) for openSUSE.
>
> You are welcome to adapt your tool to support FreeBSD and have it
> included in the ports system.
Could anyone help me in how to obtain online cheksums (md5 or better
sha1) for the files of every installed package?
>
> That said, it's unclear that your tool offers any benefits over
> the freebsd-update(8) tool that is part of the FreeBSD base system.
>
You seem to be really ignorant about the issues I have pointed out about
online/offline cheksums:
* offline cheksums require some security tool having been installed in
advance.
  Most users simply don`t have tripwire or sth. else installed but are
nonetheless
  possible targets for crackers.
* offline cheksums are very tedious to maintain:
  They require a full system verification in advance to any new update
being followed
   by a new checksum backup
  If you just forget that once you can throw your system away.
  Now do also think about applying a single update or about updating
regularely
  which should be recommended for reasons of security.
>  Note that an
> intruder could equally easily modify the checkroot executable unless
> it is also stored on read-only media.  
Yes I have clearly pointed this out on my web site. The tool will of
course not be useful as long as it is not invoked fromout of a boot CD.
Concerning me I do always have a current boot CD handy - and be it just
for reinstalling the boot loader.
>
> I notice that your tool only appears to store MD5 hashes - I presume
> you are aware that the MD5 algorithm has been shown to have a number
> of weaknesses and is not recommended for new applications.  This
> is why FreeBSD has moved to using a combination of MD5 and SHA256.
Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5)
for FreeBSD.
For openSUSE I had to use what has been available.
    
    
More information about the freebsd-security
mailing list