What are "system binaries"?
tripwire - a file integrity checker for UNIX systems, says the best thing is to reinstall the "system binaries" and then start it going. That way it knows for sure the good stuff, I assume.
Err....what are system binaries? I have a vast number of programs on the computer, how do I reinstall them automatically - is there some dpkg, say, (using Debian Lenny 5.0) automatic method? Quote:
|
Binaries are all the program files(including libraries) you have installed. What tripwire does is to save every checksum of every program in a database to check later if the file wasn't corrupted.
For example. Imagine that the file /bin/bash has the hash b80dbeb15693587a6de0df349831bddf. If later the hash of /bin/bash is altered then tripwire will know for sure that the file is compromised(possibly a trojan or something nasty). |
Quote:
I know there is some way of making a file that has all the stuff on the computer recorded. Feeding this file to apt or aptitude or dpkg or something will cause it to install all the programs. How to get the packages reinstalled? Most of them were origionally installed from Debian Official CDs, but it would not be practical to repeat this all in one go - need it to do it down the internet from debian.org, etc.. Gratefull for any help, highly likely I'll cock it up myself.:) |
The following should help.
You can get a list of everything installed like this: Code:
dpkg -l | grep ^ii |awk '{ print $2 }' Code:
dpkg --get-selections | awk '{ if ($2 == "install") print $1 }' Code:
apt-get install --reinstall packagename1 packagename2 packagename3 Cheers, Evo. PS. You may find it easiest to save the list of packages to a file for possible editing instead of sending it straight to "apt-get install --reinstall" |
So I made the list of installed stuff like you said and then had a rush of blood and:
Code:
for i in `cat /home/lugo/listOfInstalled.txt`; do apt-get install --reinstall --yes "$i"; done Still works but there are a lot of red messages on closing down. |
Cool.
You can actually do it without the loop: Code:
apt-get install --reinstall `cat /home/lugo/listOfInstalled.txt` Code:
dpkg-reconfigure debconf After you are done, make sure that everything is ok by running: Code:
dpkg --audit Evo2. |
Congratulations! First of all well done for choosing to install a filesystem integrity checker. I think everyone who values their machines should do that. Most people think it's only purpose is security but it may help in terms of management (for instance listing configuration changes) and recovery (being able to compare file hashes) too.
Quote:
Installing a filesystem integrity checker long after your OS was exposed to any network is pretty much useless unless you have independent means to verify integrity of package contents (not the MD5 or SHA1 or GPG sig of a package!) by for instance the distributions package manager (if it is capable). This implies that you have stored a backup of the package manager configuration and databases or data dirs off site and are able to verify the integrity of that backup. Debian offers debsums but the obvious problem with that is that it basically is as much an add-on as anything else and not integrated: you can not install it before anything else, you have to (remember to) install it, you have to activate it once manually (if post install scripts don't do that right now). But once you have you can run 'debsums package.deb' using the checksums generated the "package.deb" archive. To top it off, verifying hashes should be done running a rescue or Live CD to avoid tainting results where taints aren't detected. About choosing a filesystem integrity checker. I don't know whether it's due to hearsay, outdated web logs, outdated articles or lack of coverage elsewhere (I know I pretty much cover this topic at least once a year) but it does surprise me that people still install tripwire while alternatives exist that are not troubled with licensing problems, that are easier to use and that are maintained and supported. But before going into that there's a distinction you may not be aware of: passive versus active. Applications that need to be started manually or run as cronjob are called passive because they do not run as daemon, continuously. It is important to make this distinction because it means that usage relies on either the person running it or a subsystem driving it: points of failure in terms of forgetting to run it or failing to notice cron daemon or cronjob failures. In terms of subversion you should also realize the length of any detection cycle is an opportunity for an attacker to modify the configuration and checksum database to enable her to remain undetected. Whichever product you choose it is important to store copies of the binary, configuration, database off site. Also running a filesystem integrity checker may take time. When using a passive filesystem integrity checker you may want to spread risk and load by running different configuration files. For instance you could configure and run Aide on only /lib, /etc, /bin, /sbin once per two hours and use a different configuration to run it on /usr or /usr/local at a different interval. Examples of passive filesystem integrity checkers are Aide, Integrit, Osiris, Fcheck. (And since the 1.3 series Rootkit Hunter also allows you to checksum system binaries.) The only active one I know of is Samhain. Samhain can run daemonized and offers features like its own LKM to detect kernel changes, encrypted database and (SSL-capable) client-server setup to run with a remote central database-serving host for more resistence against tampering and easier management. Since Samhain runs as daemon it also means it can be run from init, and as you know /sbin/init does not like applications to die and will restart them, meaning one more step towards being tamper-resistant. * Finally auditing shows one more human point of failure. People may set up the most splendid system but fail to realize that to be able to take (counter)measures one needs to actually read reports... HTH. |
Thanks both.
Oh God:D, it's a technical area. Get this: Code:
fido:/home/lugo# apt-get remove --purge tripwire Thanks unSpawn, I do not understand, I've read it once, I'll read it over and try to figure things out. In the mean time if "system files" are ls, cp, and stuff like that, how should they be reinstalled? Are there a few, sort of binarybox, that's not what it's called, Debian packages? |
Quote:
Quote:
|
Quote:
Code:
apt-get install --reinstall foo Here is sample of how you could use apt-file. Fist update the apt-file database Code:
apt-file update Code:
apt-file search -F /bin/ls Code:
coreutils: /bin/ls NB. You can get the full path to an executable using which: Code:
which ls Evo2. PS. As unSpawn rightly points out, it is questionable if there is really any need to reinstall these packages, but I thought the information about how to do it could be useful nonetheless. |
All times are GMT -5. The time now is 11:24 AM. |