Subject: Re: Adding /usr/local to daily security audit
To: Jeff_W <jgw@tx0.org>
From: Stefan 'Kaishakunin' Schumacher <stefan@net-tex.de>
List: netbsd-users
Date: 06/29/2007 08:09:03
--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Jeff_W (jgw@tx0.org)
> Is there an easy way? Mainly just want to check the binaries, libraries
> and config files under /usr/local.  Doesn't need to be at the same level
> as the default /usr/pkg audit, maybe just daily checks of
> /usr/local/{bin,etc,libexec}, log diffs and generate/check checksums.  As
> near as I can tell I'd probably need to create something in
> /etc/security.local and maybe a permissions category under /etc/mtree/.
> But I'm not sure.  Maybe there's an easier way.  Didn't see anything that
> seemed relevant on netbsd.org; maybe someone knows of other online
> resources that cover this topic?

As far as I understood, you want to check the integrity of files
residing under /usr/local.=20

You can use mtree(8) to check the integrity, it creates a database of
files and their attributes, including checksums.=20

To do automatic checking, enable "run_security=3DYES" in /etc/daily.conf
and "check_mtree=3DYES" in /etc/security.conf, if they aren't enabled
already.=20

Mtree uses the databases (which are plain text files) in /etc/mtree/.
If you want to add /usr/local to the list of hierarchies to check, do
sth. like:

# mtree -L -c -K sha1,rmd160,gid,uid,mode -p /usr/local >  /etc/usrlocal.se=
cure


To do a manual check, run:
# mtree -L -p /usr/local -f /etc/usrlocal.secure

Note that you have to ensure the integrity of the database files. Do
so by applying either a cryptographic signature with GnuPG or OpenSSL
or generate a simple checksum with eg. "md5 /etc/usrlocal.secure" and
write it down or print a hardcopy. Check the database regularly. If an
intruder hacks into your box, he will usually clean up the logs and
manipulate the Mtree-databases to hide his footsteps. I keep the mtree
files for my database servers on a write protected floppy disk, to
avoid them being manipulated.=20


hope that helps,
Stefan
--=20
PGP FPR: CF74 D5F2 4871 3E5C FFFE  0130 11F4 C41E B3FB AE33
http://www.net-tex.de                                =20
http://www.cryptomancer.de
--=20
Worum haben die Menschen von Kindesbeinen an gebetet, wovon haben sie getr=
=E4umt,
womit haben sie sich gequ=E4lt? Da=DF irgendeiner ihnen ein f=FCr allemal s=
age, was das
Gl=FCck ist, und sie mit einer Kette an dieses Gl=FCck schmiede. Und ist di=
es nicht=20
gerade das, was wir tun? Der uralte Traum vom Paradies ...
Jewgenij Iwanowitsch Samjatin, =BBWir=AB

--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iD8DBQFGhKH+EfTEHrP7rjMRAtmeAJ9PBKQ7y5+EeLsjBQmPoUtETfWqawCgmqI0
2QYaXCQpAGgL+Uk8a6DxOe8=
=HBd6
-----END PGP SIGNATURE-----

--BOKacYhQ+x31HxR3--