online cheksum verification for FreeBSD

Micheas Herman m at micheas.net
Thu Mar 11 21:25:52 UTC 2010 

On Thu, 2010-03-11 at 09:13 -0800, Roger Marquis wrote: 
> Elmar Stellnberger wrote:
> >  I believe it would be highly desireable to have an online md5sum
> > verification for FreeBSD as this is already implemented by checkroot
> 
> This is not difficult to do on a per-host basis using integrit, cron and
> optionally md5 with mail, ftp or scp.
> 
> > (http://www.elstel.com/checkroot/) for openSUSE. This is often the only
> > way to spot an intrusion.
> 
> Unlike SuSE and Solaris, FreeBSD is most often compiled on the local
> host.   Wouldn't that make global checksums relatively useless?
> 

        The second most common way I have seen packages installed is off
        of one's own build server.
        
        With the "official" packages, being used by people new to
        FreeBSD.
        
        The thing that makes people love FreeBSD is that the source that
        compiled your program is right there and easy to get up to speed
        on to change things, with the Make files providing a lot of
        usually helpful hints.
        
        personally, a tripwire that was friendlier to website admins
        would be really nice.
        
        Which this somewhat tries to be, but it fails in the sense that
        it does not deal with /etc/make.conf
        
        This might actually be a reasonable business model, free if you
        are using debian/centos/opensuse/"official" FreeBSD packages,
        and a small annual fee to host your own checksums.
        
        I have about 2% of my debian packages that would fail checksums
        because I modified the source before compiling them.
        
        To make your problem worse when you leave the confines of
        opensuse, there is a debian utility called apt-build that
        fetches the pkg source and builds it and installs the deb much
        like freeBSD ports.
        
        You are going to have similar problems with Gentoo.
        
        binaries compiled -O vs -O2 produce different binaries, in the
        x86 world, you can make a binary compatible with processor N and
        higher, each of which produces a different checksum, for most,
        but not all programs.
        
        
        tripwire has clearly not progressed very quickly, and is not
        used as much as it probably should be.
        
        Also, the FreeBSD group tends to be pretty merciless in pointing
        out when you make a mistake, (I made several with vinum).
        
        Don't be discouraged, but the problem is bigger than Elmar seems
        to have been assuming, but that is what make life fun, right?
        
        Micheas
        

> Roger Marquis
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 
Habit is habit, and not to be flung out of the window by any man, but coaxed
down-stairs a step at a time.
		-- Mark Twain, "Pudd'nhead Wilson's Calendar

More information about the freebsd-security mailing list