Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-11-2006, 06:58 AM
|
#1
|
Member
Registered: Sep 2006
Posts: 42
Rep:
|
MD5 sums - Installed new RKHunter - Now I'm curious
In the beginning I never understood the value of MD5 sums, mostly because I never understood what they were.
I just installed and ran the new RKHunter so I could have a baseline of my fresh install. One thing it quickly caught on to was the fact I never downloaded any of the MD5's for Slack or any of the 3 or 4 packages I have installed since.
Has my contempt come around to get me, or it there a way to add the sums to the system now, while I still remember what I have installed.
One thing I have never understood about the sums is how to properly download them and store them. If someone could explain that to me I promise to be a better Slacker in the future..
As for RootKit Hunter, it installed on my Slack 10.2 flawlessly and ran just the same. It pointed out the Apache and OpenSSL were vunerable, but I dont know enough to know how to remedy that situation.
|
|
|
10-11-2006, 10:09 AM
|
#2
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
Maybe I shouldn't respond since I am not familiar with either Slackware nor RKHunter, but I am going to give it a shot anyhow. Take my comments for what you think they are worth.
Maybe m5sums have a special place in Slack country that I am not aware of. In other places, the program md5sum is used to generate and check md5sums. Check its man page for more info. Since md5sums can be generated at any time, I am wondering if RKHunter didn't go ahead and generate the sums for what you currently have on your system (which hopefully is not compromised yet). My only experience with downloading them has been to immediately after download do whatever I have to do (sometimes I had to copy/paste and create my own file) to check the downloaded file against its md5sum. Maybe Slackware has a distro specific storage area for these.
As an aside, I would note that md5sums are no longer considered adequate to make sure a file hasn't been tampered with. It is better than nothing, and sometimes it is the only thing you have available. But the current accepted practice is to sign the downloaded file. In this case you download the file, signature and if necesarry the public part of the key that was used to sign it. You then use gpg to verify the signature.
Hope this helps.
|
|
|
10-11-2006, 07:46 PM
|
#3
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Rep:
|
Fully Supported OS's from here:
http://www.rootkit.nl/projects/rootkit_hunter.html
Quote:
Supported operating systems
Supported:
- Most Linux distributions
- Most *BSD distributions
Currently unsupported:
- NetBSD
Tested on:
- AIX 4.1.5 / 4.3.3
- ALT Linux
- Aurora Linux
- CentOS 3.1 / 4.0
- Conectiva Linux 6.0
- Debian 3.x
- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 / 4.10
- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3
- Fedora Core 1 / Core 2 / Core 3
- Gentoo 1.4, 2004.0, 2004.1
- Macintosh OS 10.3.4-10.3.8
- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 / 10.1
- OpenBSD 3.4 / 3.5
- Red Hat Linux 7.0-7.3 / 8 / 9
- Red Hat Enterprise Linux 2.1 / 3.0
- Slackware 9.0 / 9.1 / 10.0 / 10.1
|
Slackware 10.2 is not one of the "supported OS's" OR "tested OS's" and therefore:
From Here:
http://www.rootkit.nl/articles/rootkit_hunter_faq.html
Quote:
What does the warning "Determining OS... Warning: this operating system is not fully supported!" mean?
It simply means: not all functions and checks can be performed, because the system is 'unknown' to the script (things like which md5 utility is available, md5 hashes for this system etc.). If you want support for a newly distro, please mail me by filling in the contact form and tell me which distro you are using.
|
So there is nothing built in to support Slackware 10.2, but you can still do the same thing yourself. But you could help out the project as they list above by contacting them.
Install slack off gpg verified & md5sum'd cd's with the pc off line, and presumabely no bad stuff on other partitions, drives, etc and use that as your 'baseline'. There are tons of guides how to do this out there on the net.
|
|
|
10-12-2006, 04:51 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
In the beginning I never understood the value of MD5 sums, mostly because I never understood what they were.
MD5 hashes can be calculated for files (unicity not guaranteed: collisions are possible) and used to verify the integrity of files.
I just installed and ran the new RKHunter so I could have a baseline of my fresh install. One thing it quickly caught on to was the fact I never downloaded any of the MD5's for Slack or any of the 3 or 4 packages I have installed since.
AFAIK, and the updated Comparing Linux/UNIX Binary Package Formats supports that, Slackware only has GPG and MD5 and verification on install tarball: none for files in the package and no method in the package manager to verify later on. Check Alien Bob's response in How do you GPG verify all of your rsync slackware directory.
Has my contempt come around to get me, or it there a way to add the sums to the system now, while I still remember what I have installed.
If you asked this on the Sourceforge Rkhunter-users mailing list you'd get the answer to run the "hashupd" tool, which lives in RKH's CVS....
It pointed out the Apache and OpenSSL were vunerable, but I dont know enough to know how to remedy that situation.
AFAIK Slackware does not backport like RH does, so you'd either upgrade or remove vulnerable packages.
As an aside, I would note that md5sums are no longer considered adequate to make sure a file hasn't been tampered with. It is better than nothing, and sometimes it is the only thing you have available. But the current accepted practice is to sign the downloaded file. In this case you download the file, signature and if necesarry the public part of the key that was used to sign it. You then use gpg to verify the signature.
While laudable, even that doesn't solve the problem of checking the integrity once installed. The only thing that helps would be to install a file integrity checker (preferably on O.S. install and before it's connected to the 'net) like Aide (passive, easy configurable), Samhain (active, has kernel module, lots of options) or even tripwire (obsolete, license problems) or md5deep and save a copy of the binary, config (if any) and database off-site.
Fully Supported OS's from here:
www.rootkit.nl
No. We moved house. I thought the 1.2.9 release made that clear but apparently nobody reads accompanying docs nor news... RKH resides at SF: http://sourceforge.net/projects/rkhunter
Fully Supported OSes (CVS):
Code:
]$ # grep -i slack rkhunter/files/os.dat
134:Slackware 9.1.0:/usr/bin/md5sum:/bin
140:Slackware 9.0.0:/usr/bin/md5sum:/bin
147:Slackware 10.0.0:/usr/bin/md5sum:/bin
168:Slackware 10.1.0:/usr/bin/md5sum:/bin
184:Slackware 10.2.0:/usr/bin/md5sum:/bin
802:Slackware 11.0.0:/bin/md5sum:/bin:
So you see that, thanks to community support, we even got 11.
|
|
|
10-12-2006, 06:06 AM
|
#5
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Rep:
|
I was reading throught the tutorials here on LQ, and one member posted something that I thought was really neat, and kind of applied here, well in a round about way.
From here:
http://www.linuxquestions.org/linux/...uick_find_Tips
The writer stated:
Quote:
* Find all files created or updated in the last five minutes: (Great for finding effects of make install)
find / -cmin -5
|
I suppose that could be worked up into a script to find all files, then checksum & output to a log file and just add them to your initial checksum list and/or compare the list.
Then again, I see from Jeremy's/LQ/Tutorial that this was a feature that "tripwire" did for linux user's before they decided to no longer offer an open source version.
|
|
|
10-12-2006, 06:17 AM
|
#6
|
Member
Registered: Sep 2006
Posts: 42
Original Poster
Rep:
|
Quote:
Originally Posted by studioq
One thing I have never understood about the sums is how to properly download them and store them. If someone could explain that to me I promise to be a better Slacker in the future..
|
I guess I used too many words, or maybe not enough.. The above seems to have gotten lost in the shuffle.
|
|
|
10-12-2006, 07:50 AM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
I suppose that could be worked up into a script to find all files, then checksum & output to a log file and just add them to your initial checksum list and/or compare the list.
If you run a file integrity checker you wouldn't even need to do that. On check you'd be informed changes ocurred. After verification checks out OK you'd update the database.
One thing I have never understood about the sums is how to properly download them and store them.
After install you would do for example:
Code:
find ${PATH//:/ } | xargs md5sum 2>/dev/null > /tmp/sums
...and to check simply run
Code:
md5sum --check --warn --status /tmp/sums && echo OK \
|| { echo FAILED; md5sum --check --warn /tmp/sums 2>&1|grep -v OK$; }
Finally there must be Slackware tools out there that already do this in an integrated way so better check that first, but here's an untested (so YMMV(VM)) idea for generating and checking sums from downloaded packages:
Code:
#!/bin/bash
# Purpose: Sum from package and check
# Args: switch and packagename
# Deps: Bash, GNU utils, tarball
# Run from: manual
# Prepstage functions
progn=${0//*\//}
# And FCOL/FFS set debug and error mode when testing:
# set -xe
preFlight() {
STORAGE="/var/adm/sums"; if [ ! -d "${STORAGE}" ]; then
mkdir -p "${STORAGE}"; fi; TMPDIR="${HOME}/tmp"
if [ ! -d "${TMPDIR}" ]; then mkdir -p "${TMPDIR}"; fi
PKG="$1"; if [ ! -s "${PKG}" ]; then exit 127; fi
PKG_BASE=${PKG//*\/}; }
doSum() { PKG_TEMP=${PKG%%.tgz}.tmp
if [ -d "${TMPDIR}/${PKG_TEMP}" ]; then rmdir \
"${TMPDIR}/${PKG_TEMP}" || exit 127; fi
mkdir -p "${TMPDIR}/${PKG_TEMP}" || exit 127
tar -xzf "${PKG}" -C "${TMPDIR}/${PKG_TEMP}" || exit 127
cd "${TMPDIR}/${PKG_TEMP}" || exit 127
find . | grep -v install/ | xargs md5sum 2>/dev/null \
| sed -e "s/.\//\//" > "${STORAGE}/${PKG_BASE}.md5"; }
doCheck() { if [ -f "${STORAGE}/${PKG_BASE}.md5" ]; then
SUMS="${STORAGE}/${PKG_BASE}.md5"
md5sum --check --warn --status "${SUMS}" && echo OK \
|| { echo FAILED; md5sum --check --warn "${SUMS}" 2>&1\
|grep -v OK$; }; }; else echo "No "${STORAGE}/${PKG_BASE}.md5""
exit 127; fi; }
case "$1" in
m|-m|--make-sum) shift 1; preFlight &&; doSum;;
c|-c|--check-sum) shift 1; preFlight &&; doCheck;;
*) echo "${progn}: [--make-sum|--check-sum] /path/to/package.tgz"
exit 1;;
esac
exit 0
|
|
|
10-12-2006, 09:10 AM
|
#8
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Rep:
|
Quote:
Originally Posted by studioq
I guess I used too many words, or maybe not enough.. The above seems to have gotten lost in the shuffle.
|
Studio,
What we're getting at here is that there is nothing that you can download to use that feature.
Mr. Pat V does not offer a "as installed" checksum list that the rkhunter would check for you.
That is why I mentioned the thread about find, and "unspwan" was very helpful to offer us that script to try out.
Have you taken a look at insecure.org they have some good links in addition to the sticky here in the forums by the admin.
I for one want to try out "snort" but it won't gpg verify. I posted over there and no one's told me how to do it in weeks, I get a wierd message, and I know I'm doing the code correctly for the gpg --verify as I do it all the time in slack.
@unspawn: thank you for the script, I'm going to give it a shot on a slackware 11.0 installed into vmware...for "just in case reasons" you know. I let you know how I make out.
|
|
|
10-23-2006, 01:33 AM
|
#9
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Rep:
|
@unspawn:
doing this:
Quote:
find ${PATH//:/ } | xargs md5sum 2>/dev/null > /tmp/sums
|
appears to NOT do all files / folders on the "/" partition of slackware 10.2 for me.
it appears to do:
/usr/local/
/usr/sbin/
/sbin/
/usr/local/
/usr/bin/
/bin/
/usr/X11R6/
/usr/lib/
/opt/kde/bin
/usr/lib/qt/bin
/usr/share/texmf/bin
since my pc that runs vmware is still down I ran this on an old pc 300 mhz and it only took about 5 minutes.
is the output above what the rkhunter checksum compare option would like to see?
FWIW, I did a little googling...and I found a recommendation by someone that said to use something like this, and it took hours:
Quote:
find / -type f -exec md5sum {} \; |tee /some-same-folder/output.md5
|
Now, I tried running the above while at cli in slackware, and it totally just stopped and never got past /proc/devices/cpuinfo (or something like that).
So I rebooted that computer, and I tried a 'slax' live cd, mounted the "/" in /mnt/hda2 and ran the above. It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.
But I suspect that it's a little overkill and having to leave linux to do it and all.
I didn't try the packages yet, I'm still trying to figure out how to get a good checksum here...and I'm really losing my mind trying to figure out how to edit the /etc/samhain file for a standalone pc...ugh!
Any help is truly appreciated.
|
|
|
10-23-2006, 05:45 AM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
appears to NOT do all files / folders
I'm afraid this isn't about security anymore, so it should really be a thread in another forum, say Linux General. You may benefit from running "md5deep" which is a (and easier) way to get recursive sums.
is the output above what the rkhunter checksum compare option would like to see?
Much more than that. If you want the RKH subset of binaries to check, run hashupd (in Sourceforge's RKH CVS).
I found a recommendation by someone that said to use something like this, and it took hours
Basically it's the old "exec vs xargs" debate. (Which, like so many, isn't a debate but a monologue since xargs wins).
Now, I tried running the above while at cli in slackware, and it totally just stopped and never got past /proc/devices/cpuinfo (or something like that).
Then you need to supply "find" with -noleaf and -xdev.
It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.
Its a waste of time to hash /proc and /dev contents.
I didn't try the packages yet, I'm still trying to figure out how to get a good checksum here...
Shouldn't be that hard.
and I'm really losing my mind trying to figure out how to edit the /etc/samhain file for a standalone pc...ugh!
That's twice. New topic, new thread, OK?
Last edited by unSpawn; 10-23-2006 at 05:55 AM.
|
|
|
All times are GMT -5. The time now is 04:17 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|