FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-09-2010, 12:13 AM
Josh Narins
 
Default How do I keep tripwire db in sync with apt-get updates?

Installing packages, updating packages, removing packages.

These basic operations result in lots of tripwire noise. Was the
change to /usr/sbin/zic part of a legitimate update, or a
super-secret-stealth attack?

At this point I wish I could md5sum every binary and library file
managed by the OS and compare that to some authoritative source.

Yay,
Josh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com">htt p://lists.debian.org/AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com
 
Old 11-09-2010, 01:39 AM
"Boyd Stephen Smith Jr."
 
Default How do I keep tripwire db in sync with apt-get updates?

In <AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh Narins
wrote:
>Installing packages, updating packages, removing packages.
>
>These basic operations result in lots of tripwire noise. Was the
>change to /usr/sbin/zic part of a legitimate update, or a
>super-secret-stealth attack?
>
>At this point I wish I could md5sum every binary and library file
>managed by the OS and compare that to some authoritative source.

You may be interested in debsums, then. You could possibly use it to
determine if a file (but, not a conffile) updated by a package upgrade /
installation is the one shipped from Debian or an attacker taking advantage of
the window between package upgrade and tripwire scan.

In theory, it could be possible for dpkg/apt to update the tripwire database
automatically. I recommend against it, since then subverting dpkg/apt allows
an attacker to subvert tripwire. Because of different focuses, I think the
tripwire code is much harder to subvert than the dpkg/apt code.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-09-2010, 02:08 AM
"Jesús M. Navarro"
 
Default How do I keep tripwire db in sync with apt-get updates?

Hi, Boyd:

On Tuesday 09 November 2010 03:39:58 Boyd Stephen Smith Jr. wrote:
> In <AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh
> Narins
>
> wrote:
> >Installing packages, updating packages, removing packages.
> >
> >These basic operations result in lots of tripwire noise. Was the
> >change to /usr/sbin/zic part of a legitimate update, or a
> >super-secret-stealth attack?

[...]

> In theory, it could be possible for dpkg/apt to update the tripwire
> database automatically. I recommend against it, since then subverting
> dpkg/apt allows an attacker to subvert tripwire. Because of different
> focuses, I think the tripwire code is much harder to subvert than the
> dpkg/apt code.

Well, dpkg/apt should trigger a tripwire hash recomputation and it should be
tripwire the one to look after the proper debsum and being instructed to
accept it prior to update the database (or not), not the other way around. I
think that should restrict the attack profile. After all, tripwire wouldn't
do nothing you wouldn't do by hand anyway.

Cheers.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201011090408.16027.jesus.navarro@undominio.net">ht tp://lists.debian.org/201011090408.16027.jesus.navarro@undominio.net
 
Old 11-09-2010, 07:35 AM
 
Default How do I keep tripwire db in sync with apt-get updates?

Thank you, I had forgotten debsums.

Sadly, debsums doesn't work for such basic packages as binutils and sysklogd.

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
Date: Mon, 8 Nov 2010 20:39:58
To: <debian-user@lists.debian.org>
Subject: Re: How do I keep tripwire db in sync with apt-get updates?

In <AANLkTi=AniQFz-1e_LW3OZtw9D6p5eEY1BxU3bECN_Pz@mail.gmail.com>, Josh Narins
wrote:
>Installing packages, updating packages, removing packages.
>
>These basic operations result in lots of tripwire noise. Was the
>change to /usr/sbin/zic part of a legitimate update, or a
>super-secret-stealth attack?
>
>At this point I wish I could md5sum every binary and library file
>managed by the OS and compare that to some authoritative source.

You may be interested in debsums, then. You could possibly use it to
determine if a file (but, not a conffile) updated by a package upgrade /
installation is the one shipped from Debian or an attacker taking advantage of
the window between package upgrade and tripwire scan.

In theory, it could be possible for dpkg/apt to update the tripwire database
automatically. I recommend against it, since then subverting dpkg/apt allows
an attacker to subvert tripwire. Because of different focuses, I think the
tripwire code is much harder to subvert than the dpkg/apt code.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-09-2010, 08:18 AM
"Boyd Stephen Smith Jr."
 
Default How do I keep tripwire db in sync with apt-get updates?

In <201011090408.16027.jesus.navarro@undominio.net> , Jesús M. Navarro wrote:
>Hi, Boyd:
>On Tuesday 09 November 2010 03:39:58 Boyd Stephen Smith Jr. wrote:
>> In theory, it could be possible for dpkg/apt to update the tripwire
>> database automatically. I recommend against it, since then subverting
>> dpkg/apt allows an attacker to subvert tripwire. Because of different
>> focuses, I think the tripwire code is much harder to subvert than the
>> dpkg/apt code.
>
>Well, dpkg/apt should trigger a tripwire hash recomputation and it should be
>tripwire the one to look after the proper debsum and being instructed to
>accept it prior to update the database (or not), not the other way around.
>I think that should restrict the attack profile. After all, tripwire
>wouldn't do nothing you wouldn't do by hand anyway.

Updating the tripwire database requires it do be re-signed with the local key.
Doing so generally requires the passphrase to unlock (decrypt) the key. If
you script away the passphrase entry, by storing the passphrase (or key!)
unencrypted, you significantly reduce the protection afforded by tripwire
against local privilege escalation attacks.

That said, it might be possible to use hooks (ala apt-listbugs, but much more
complex) to have dpkg/apt trigger tripwire for certain files and have tripwire
ask for the key in the order manner. It's non-trivial to get right, though.

For me, running (tripwire --check -I) immediately after a package update keeps
the exploitation window sufficiently small. A dedicated attacker could
probably root me, but it is likely to be sufficiently troublesome that it is
not worth it for my data. The attack I am imagining is to use modify dpkg,
the apt trustdb, and apt settings, to "plant" a dpkg, apt, and debian-keyring
"upgrade" that is malicious. If I installed the upgrade(s) before running a
tripwire check, the original modifications would be lost in the "noise" of the
package upgrades displayed by (tripwire --check). Still, that depends on me
doing the "upgrade" before my nightly tripwire cron job; rather unlikely since
both it and my packages-that-need-upgrages cron job run during a time when I
am asleep. An alternative attack would be to modify a binary/library that I
might believe is part of a valid upgrade, during roughly the same window.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-09-2010, 08:28 AM
"Boyd Stephen Smith Jr."
 
Default How do I keep tripwire db in sync with apt-get updates?

On Tuesday, November 09, 2010 02:35:39 you wrote:
>Sadly, debsums doesn't work for such basic packages as binutils and
>sysklogd.

It does; just not quite in the way you would like. Many packages are shipped
without debsums. However, debsums uses a dpkg/apt hook to generate sums for
any package that is missing them that is installed after debsums is working.
These is also a mode to find packages that do not have a record in the debsums
database and generate sums from the running system.

BTW, no need to CC me. I check list email at the same time/place as my
personal mail.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 

Thread Tools




All times are GMT. The time now is 07:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org