[vox-tech] Easy tripwire alternative

Rod Roark vox-tech@lists.lugod.org
Sat, 14 Dec 2002 13:38:03 -0800 

Here's the latest.  Looks like I'm up to 7 "lines of code"
now, not counting cosmetics.  The long "find" command is
obviously a candidate for tweaking, but you get the idea:

rod mnt # mount /dev/fd0 floppy
rod mnt # cd floppy
rod floppy # ls -l
total 869
-rwxr--r--    1 root     root          325 Dec 14 13:15 check
-rwxr--r--    1 root     root        72264 Jun 23 07:42 diff
-rwxr--r--    1 root     root        65119 Dec 14 13:19 find
-rwxr--r--    1 root     root        63488 Jun 23 10:44 gzip
-rwxr--r--    1 root     root       650487 Dec 14 13:28 md5.root.gz
-rwxr--r--    1 root     root        36027 Jul  1 02:56 md5sum
-rwxr--r--    1 root     root          116 Dec 14 13:17 update
rod floppy # cat check
#!/bin/sh
#
echo "Building /tmp/md5.root ..."
=2E/find / -xdev -type f \( -path '/lib/*' -o -path '/usr/lib/*' -o -perm=
 +111 \) ! -path '/var/spool/*' ! -path '/var/log/*' -exec ./md5sum {} \;=
 > /tmp/md5.root

if [ -f md5.root.gz ]; then
  echo "Checking differences ..."
  ./gzip -d -c md5.root.gz | ./diff - /tmp/md5.root
fi
rod floppy # cat update
#!/bin/sh
#
echo "Copying and compressing list to floppy ..."
rm -f md5.root.gz
gzip -c /tmp/md5.root > md5.root.gz
rod floppy #

Hey, isn't this how Linus started?  ;-)

Cheers,

-- Rod
   http://www.sunsetsystems.com/

On Saturday 14 December 2002 12:54 pm, msimons@moria.simons-clan.com wrot=
e:
> On Sat, Dec 14, 2002 at 12:08:16PM -0800, Rod Roark wrote:
> > My plan is to keep the md5sum, find and grep binaries on the
> > floppy.  They still require system .so libraries but those
> > will be harder to hack.  A bootable CD is a good idea, but
> > I'd like to be able to check without taking the servers
> > down.
>
>   Once you get the resulting system done... could you post the next
> revision?
>
>     TTFN,
>       Mike
>
> ps:
>   As far as hacking the .so libraries... I was going to put together a
> simple demonstration of changing libc so that anytime md5sum -c was run=
ning
> it would find no problems.  Since it is very easy to 'filter' things
> (call the real worker function if something isn't true but return
> fake results if not true), it's only like 50 lines or less.
>   I tried a ltrace to figure out which call it made to the *cmp functio=
ns,
> and found none... this is why I pulled down the md5sum source code
> to see what it was doing, since it must logically must do a 'memcmp'
> on the string it read to the string it computed.  Anyway I noticed
> several small hard coded buffers.  Also md5sum.c does actually do a
> memcmp call, but it turns out that gcc when compiling with -O2 will
> replace the call to a builtin asm block... so the libc example would
> either have to play with the fprintf error report or be even fancier.
>   About this time I decided to stop ...
>
> pps:
>   I've heard of kernel module root kit type things... where something l=
oads
> into a running kernel which allows processes to do whatever they want,
> and the activity is cloaked from normal user view... I read about this
> along time ago so don't have any references, but in theory even a kerne=
l
> which has no support for module loading could be 'taken over' via a roo=
t
> process, /dev/kmem, and loads of black magic.