LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-11-2006, 06:58 AM   #1
studioq
Member
 
Registered: Sep 2006
Posts: 42

Rep: Reputation: 15
MD5 sums - Installed new RKHunter - Now I'm curious


In the beginning I never understood the value of MD5 sums, mostly because I never understood what they were.

I just installed and ran the new RKHunter so I could have a baseline of my fresh install. One thing it quickly caught on to was the fact I never downloaded any of the MD5's for Slack or any of the 3 or 4 packages I have installed since.

Has my contempt come around to get me, or it there a way to add the sums to the system now, while I still remember what I have installed.
One thing I have never understood about the sums is how to properly download them and store them. If someone could explain that to me I promise to be a better Slacker in the future..

As for RootKit Hunter, it installed on my Slack 10.2 flawlessly and ran just the same. It pointed out the Apache and OpenSSL were vunerable, but I dont know enough to know how to remedy that situation.
 
Old 10-11-2006, 10:09 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Maybe I shouldn't respond since I am not familiar with either Slackware nor RKHunter, but I am going to give it a shot anyhow. Take my comments for what you think they are worth.

Maybe m5sums have a special place in Slack country that I am not aware of. In other places, the program md5sum is used to generate and check md5sums. Check its man page for more info. Since md5sums can be generated at any time, I am wondering if RKHunter didn't go ahead and generate the sums for what you currently have on your system (which hopefully is not compromised yet). My only experience with downloading them has been to immediately after download do whatever I have to do (sometimes I had to copy/paste and create my own file) to check the downloaded file against its md5sum. Maybe Slackware has a distro specific storage area for these.

As an aside, I would note that md5sums are no longer considered adequate to make sure a file hasn't been tampered with. It is better than nothing, and sometimes it is the only thing you have available. But the current accepted practice is to sign the downloaded file. In this case you download the file, signature and if necesarry the public part of the key that was used to sign it. You then use gpg to verify the signature.

Hope this helps.
 
Old 10-11-2006, 07:46 PM   #3
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Fully Supported OS's from here:
http://www.rootkit.nl/projects/rootkit_hunter.html

Quote:
Supported operating systems

Supported:
- Most Linux distributions
- Most *BSD distributions

Currently unsupported:
- NetBSD

Tested on:
- AIX 4.1.5 / 4.3.3
- ALT Linux
- Aurora Linux
- CentOS 3.1 / 4.0
- Conectiva Linux 6.0
- Debian 3.x
- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 / 4.10
- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3
- Fedora Core 1 / Core 2 / Core 3
- Gentoo 1.4, 2004.0, 2004.1
- Macintosh OS 10.3.4-10.3.8
- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 / 10.1
- OpenBSD 3.4 / 3.5
- Red Hat Linux 7.0-7.3 / 8 / 9
- Red Hat Enterprise Linux 2.1 / 3.0
- Slackware 9.0 / 9.1 / 10.0 / 10.1
Slackware 10.2 is not one of the "supported OS's" OR "tested OS's" and therefore:

From Here:
http://www.rootkit.nl/articles/rootkit_hunter_faq.html
Quote:
What does the warning "Determining OS... Warning: this operating system is not fully supported!" mean?
It simply means: not all functions and checks can be performed, because the system is 'unknown' to the script (things like which md5 utility is available, md5 hashes for this system etc.). If you want support for a newly distro, please mail me by filling in the contact form and tell me which distro you are using.
So there is nothing built in to support Slackware 10.2, but you can still do the same thing yourself. But you could help out the project as they list above by contacting them.

Install slack off gpg verified & md5sum'd cd's with the pc off line, and presumabely no bad stuff on other partitions, drives, etc and use that as your 'baseline'. There are tons of guides how to do this out there on the net.
 
Old 10-12-2006, 04:51 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
In the beginning I never understood the value of MD5 sums, mostly because I never understood what they were.
MD5 hashes can be calculated for files (unicity not guaranteed: collisions are possible) and used to verify the integrity of files.


I just installed and ran the new RKHunter so I could have a baseline of my fresh install. One thing it quickly caught on to was the fact I never downloaded any of the MD5's for Slack or any of the 3 or 4 packages I have installed since.
AFAIK, and the updated Comparing Linux/UNIX Binary Package Formats supports that, Slackware only has GPG and MD5 and verification on install tarball: none for files in the package and no method in the package manager to verify later on. Check Alien Bob's response in How do you GPG verify all of your rsync slackware directory.


Has my contempt come around to get me, or it there a way to add the sums to the system now, while I still remember what I have installed.
If you asked this on the Sourceforge Rkhunter-users mailing list you'd get the answer to run the "hashupd" tool, which lives in RKH's CVS....


It pointed out the Apache and OpenSSL were vunerable, but I dont know enough to know how to remedy that situation.
AFAIK Slackware does not backport like RH does, so you'd either upgrade or remove vulnerable packages.


As an aside, I would note that md5sums are no longer considered adequate to make sure a file hasn't been tampered with. It is better than nothing, and sometimes it is the only thing you have available. But the current accepted practice is to sign the downloaded file. In this case you download the file, signature and if necesarry the public part of the key that was used to sign it. You then use gpg to verify the signature.
While laudable, even that doesn't solve the problem of checking the integrity once installed. The only thing that helps would be to install a file integrity checker (preferably on O.S. install and before it's connected to the 'net) like Aide (passive, easy configurable), Samhain (active, has kernel module, lots of options) or even tripwire (obsolete, license problems) or md5deep and save a copy of the binary, config (if any) and database off-site.


Fully Supported OS's from here:
www.rootkit.nl

No. We moved house. I thought the 1.2.9 release made that clear but apparently nobody reads accompanying docs nor news... RKH resides at SF: http://sourceforge.net/projects/rkhunter


Fully Supported OSes (CVS):
Code:
]$ # grep -i slack rkhunter/files/os.dat 
134:Slackware 9.1.0:/usr/bin/md5sum:/bin
140:Slackware 9.0.0:/usr/bin/md5sum:/bin
147:Slackware 10.0.0:/usr/bin/md5sum:/bin
168:Slackware 10.1.0:/usr/bin/md5sum:/bin
184:Slackware 10.2.0:/usr/bin/md5sum:/bin
802:Slackware 11.0.0:/bin/md5sum:/bin:
So you see that, thanks to community support, we even got 11.
 
Old 10-12-2006, 06:06 AM   #5
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
I was reading throught the tutorials here on LQ, and one member posted something that I thought was really neat, and kind of applied here, well in a round about way.

From here:
http://www.linuxquestions.org/linux/...uick_find_Tips

The writer stated:
Quote:
* Find all files created or updated in the last five minutes: (Great for finding effects of make install)
find / -cmin -5
I suppose that could be worked up into a script to find all files, then checksum & output to a log file and just add them to your initial checksum list and/or compare the list.

Then again, I see from Jeremy's/LQ/Tutorial that this was a feature that "tripwire" did for linux user's before they decided to no longer offer an open source version.
 
Old 10-12-2006, 06:17 AM   #6
studioq
Member
 
Registered: Sep 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by studioq
One thing I have never understood about the sums is how to properly download them and store them. If someone could explain that to me I promise to be a better Slacker in the future..
I guess I used too many words, or maybe not enough.. The above seems to have gotten lost in the shuffle.
 
Old 10-12-2006, 07:50 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I suppose that could be worked up into a script to find all files, then checksum & output to a log file and just add them to your initial checksum list and/or compare the list.
If you run a file integrity checker you wouldn't even need to do that. On check you'd be informed changes ocurred. After verification checks out OK you'd update the database.


One thing I have never understood about the sums is how to properly download them and store them.
After install you would do for example:
Code:
find ${PATH//:/ } | xargs md5sum 2>/dev/null > /tmp/sums
...and to check simply run
Code:
md5sum --check --warn --status /tmp/sums && echo OK \
|| { echo FAILED; md5sum --check --warn /tmp/sums 2>&1|grep -v OK$; }
Finally there must be Slackware tools out there that already do this in an integrated way so better check that first, but here's an untested (so YMMV(VM)) idea for generating and checking sums from downloaded packages:
Code:
#!/bin/bash
# Purpose: Sum from package and check
# Args: switch and packagename
# Deps: Bash, GNU utils, tarball
# Run from: manual

# Prepstage functions
progn=${0//*\//}
# And FCOL/FFS set debug and error mode when testing:
# set -xe

preFlight() { 
STORAGE="/var/adm/sums"; if [ ! -d "${STORAGE}" ]; then
 mkdir -p "${STORAGE}"; fi; TMPDIR="${HOME}/tmp"
if [ ! -d "${TMPDIR}" ]; then mkdir -p "${TMPDIR}"; fi
PKG="$1"; if [ ! -s "${PKG}" ]; then exit 127; fi
PKG_BASE=${PKG//*\/}; }

doSum() { PKG_TEMP=${PKG%%.tgz}.tmp
 if [ -d "${TMPDIR}/${PKG_TEMP}" ]; then rmdir \
 "${TMPDIR}/${PKG_TEMP}" || exit 127; fi
 mkdir -p "${TMPDIR}/${PKG_TEMP}" || exit 127
 tar -xzf "${PKG}" -C "${TMPDIR}/${PKG_TEMP}" || exit 127
 cd "${TMPDIR}/${PKG_TEMP}" || exit 127
 find . | grep -v install/ | xargs md5sum 2>/dev/null \
 | sed -e "s/.\//\//" > "${STORAGE}/${PKG_BASE}.md5"; }

doCheck() { if [ -f "${STORAGE}/${PKG_BASE}.md5" ]; then
  SUMS="${STORAGE}/${PKG_BASE}.md5"
  md5sum --check --warn --status "${SUMS}" && echo OK \
  || { echo FAILED; md5sum --check --warn "${SUMS}" 2>&1\
  |grep -v OK$; }; }; else echo "No "${STORAGE}/${PKG_BASE}.md5""
  exit 127; fi; }

case "$1" in
m|-m|--make-sum) shift 1; preFlight &&; doSum;;
c|-c|--check-sum) shift 1; preFlight &&; doCheck;;
*) echo "${progn}: [--make-sum|--check-sum] /path/to/package.tgz"
   exit 1;;
esac

exit 0
 
Old 10-12-2006, 09:10 AM   #8
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Quote:
Originally Posted by studioq
I guess I used too many words, or maybe not enough.. The above seems to have gotten lost in the shuffle.

Studio,

What we're getting at here is that there is nothing that you can download to use that feature.

Mr. Pat V does not offer a "as installed" checksum list that the rkhunter would check for you.

That is why I mentioned the thread about find, and "unspwan" was very helpful to offer us that script to try out.

Have you taken a look at insecure.org they have some good links in addition to the sticky here in the forums by the admin.

I for one want to try out "snort" but it won't gpg verify. I posted over there and no one's told me how to do it in weeks, I get a wierd message, and I know I'm doing the code correctly for the gpg --verify as I do it all the time in slack.

@unspawn: thank you for the script, I'm going to give it a shot on a slackware 11.0 installed into vmware...for "just in case reasons" you know. I let you know how I make out.
 
Old 10-23-2006, 01:33 AM   #9
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
@unspawn:

doing this:
Quote:
find ${PATH//:/ } | xargs md5sum 2>/dev/null > /tmp/sums
appears to NOT do all files / folders on the "/" partition of slackware 10.2 for me.

it appears to do:
/usr/local/
/usr/sbin/
/sbin/
/usr/local/
/usr/bin/
/bin/
/usr/X11R6/
/usr/lib/
/opt/kde/bin
/usr/lib/qt/bin
/usr/share/texmf/bin

since my pc that runs vmware is still down I ran this on an old pc 300 mhz and it only took about 5 minutes.

is the output above what the rkhunter checksum compare option would like to see?

FWIW, I did a little googling...and I found a recommendation by someone that said to use something like this, and it took hours:

Quote:
find / -type f -exec md5sum {} \; |tee /some-same-folder/output.md5
Now, I tried running the above while at cli in slackware, and it totally just stopped and never got past /proc/devices/cpuinfo (or something like that).

So I rebooted that computer, and I tried a 'slax' live cd, mounted the "/" in /mnt/hda2 and ran the above. It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.

But I suspect that it's a little overkill and having to leave linux to do it and all.

I didn't try the packages yet, I'm still trying to figure out how to get a good checksum here...and I'm really losing my mind trying to figure out how to edit the /etc/samhain file for a standalone pc...ugh!

Any help is truly appreciated.
 
Old 10-23-2006, 05:45 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
appears to NOT do all files / folders
I'm afraid this isn't about security anymore, so it should really be a thread in another forum, say Linux General. You may benefit from running "md5deep" which is a (and easier) way to get recursive sums.


is the output above what the rkhunter checksum compare option would like to see?
Much more than that. If you want the RKH subset of binaries to check, run hashupd (in Sourceforge's RKH CVS).


I found a recommendation by someone that said to use something like this, and it took hours
Basically it's the old "exec vs xargs" debate. (Which, like so many, isn't a debate but a monologue since xargs wins).


Now, I tried running the above while at cli in slackware, and it totally just stopped and never got past /proc/devices/cpuinfo (or something like that).
Then you need to supply "find" with -noleaf and -xdev.


It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.
Its a waste of time to hash /proc and /dev contents.


I didn't try the packages yet, I'm still trying to figure out how to get a good checksum here...
Shouldn't be that hard.


and I'm really losing my mind trying to figure out how to edit the /etc/samhain file for a standalone pc...ugh!
That's twice. New topic, new thread, OK?

Last edited by unSpawn; 10-23-2006 at 05:55 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Curious graphical error when installed on a Dell Dimension 4600 Eerath Mandriva 2 07-24-2005 01:51 AM
FC4 MD5 sums litlmary Linux - Laptop and Netbook 8 06-20-2005 04:08 PM
MD Sums not matched... jcollard Linux - Software 4 02-10-2005 04:09 PM
RKHUNTER: Bad MD5 Checksums Scarpa Linux - Security 2 06-18-2004 05:56 AM
Hwo do I use MD5 sums to check file downloads? jdruin Linux - General 3 12-01-2003 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration