Domain: knowngoods.org
Stories and comments across the archive that link to knowngoods.org.
Comments · 4
-
Re:It's time....
if you prepare beforehand, it's possible to have a way to check the whole system independent of which distro you use. just run tripwire (http://sourceforge.net/projects/tripwire) or some other similar tool and you'll have a comprehensive database of MD5 checksums for everything important in your system. you can even monitor changes to config files. it makes for some nice "immune system" for your *NIX
the package "debsums" also adds a database of know MD5s for most debian packages. even if you don't have debsums or if your RPM database is hosed (that would make rpm -V useless) you can still count with knowngoods.org (http://www.knowngoods.org/ a database of checksums for several default binaries shipped with several linux distros, BSDs and even solaris.
want to know the checkums for solaris 9's /usr/bin/bash ? here
kinda usefull when diagnosing a system -
Re:It's time....
if you prepare beforehand, it's possible to have a way to check the whole system independent of which distro you use. just run tripwire (http://sourceforge.net/projects/tripwire) or some other similar tool and you'll have a comprehensive database of MD5 checksums for everything important in your system. you can even monitor changes to config files. it makes for some nice "immune system" for your *NIX
the package "debsums" also adds a database of know MD5s for most debian packages. even if you don't have debsums or if your RPM database is hosed (that would make rpm -V useless) you can still count with knowngoods.org (http://www.knowngoods.org/ a database of checksums for several default binaries shipped with several linux distros, BSDs and even solaris.
want to know the checkums for solaris 9's /usr/bin/bash ? here
kinda usefull when diagnosing a system -
Re:reinstall everything from scratch.The only real way to know if a binary has been compromised is by using an MD5 or SHA1 hash sum. The thing is, you have to know the sum of the uncompromised binary. Sites like Known Goods can help here. Besides the binaries, dynamic libraries, bash/tcsh, even the kernel itself could potentially be compromised.
You really though don't want to be messing around on a compromised system. Like many others have suggested, you'll want to boot of a CD and go from there. Single user mode is unacceptable, since you're running off the compromised system. So what you want is a bootable CD with statically linked binaries.
If you have backups, great... just reboot, reformat, and reinstall everything. If you need to retreive data, do so from a bootable CD with statically linked, trusted binaries, onto alternate media -- you can even go across a network using netcat.
-
Combination solution.
Ideally, a simple tool should be developed that does the following:
Compare the MD5sums of critical files to a recent known "snapshot" of the system on RO media, which only indexes files that were changed and reconciled. Perhaps there is a list of files of which only certain byte ranges (perhaps just executable ELF sections) are checked, are some are omitted. (Other slashdotters mention caches/timestamps in certain relevant files that screw up checksums). You would have a whitelist (files which must match), then a graylist (files which meet byte-range criteria), and perhaps even a blacklist that prevents files that would normally be flagged to be ignored.
In checking full file checksums, those not explicitly listed above would fallback to a check using a HTTP get request conforming to this helpful document these guys have offered.
And to those who were asking about other distributions: they are looking for people willing to work with them to add new distros/architectures to their database.