On 18-Aug-01 Gediminas Grigas wrote:
Hello suse-security,
I would like to ask is there any tool (semi-automated preferable), to chek binaries md5(?)sums? Kind of basic shell script witch has original sum list of aaa_base binaries, and then goes for all of them and cheks for conforming? As for now i see only way -> download list from SuSE FTP server or copy from CD and then go to it manualy. However i feel like i`m not first person who has feeling like its time to look for an rootkit and think that there is an tool made to make lifes easyier... Surely there is nothing wrong with cheking one or two binaries, but i`m paranoind enough to chek all base binaries. Besides i have 3 SuSE distributions to check, so i will need at least 3 binaries lists
I found "Linux rootkit detector" on sourceforge, however its still in beta, and looks for differences between ps() output and /proc table, not cheking binaries by them self.
Problem here is that the actual capabilities of many root kits are unknown to most admins. Some "just" replace essential tools like ls, grep, ps, find, top, etc., some modify lastlog and other log entries, some show a trojan-like behaviour and open stealthy backdoors, and there are some who do all of it, namely modifications to your local rpm database and the /proc file system. Applying file integrity checkers like tripwire *after* taking a server into production surely is better than doing no integrity checking at all; unfortunately, some (many?) admins tend to implement them after something strange has happened, which they hope to detect that way. It's still possible though quite hard to do a file integrity check in this case, using a write-only "master" (like the SuSE CDs), but this is limited to originally installed RPM packages only; most config files and programs which have been compiled out of a tarball (.tar.gz) simply couldn't be verified correctly that way.
Any references (to sums list of 6.1, 6.3 and 7.1 or to rootkit realated topics) and sugestions would be very welcome :-) Thanks!
IMO, the Right Thing to do would be to: 1.) Implement tripwire *before* the system goes into production 2.) configure tripwire to check *relevant* files, not e. g. backups of logfiles or app pid-files to avoid a bloated tw report which may get annoying 3.) create a write-only backup of all essential config files and binaries 4.) periodically check your system using chkrootkit from http://www.chkrootkit.org . This tool detects about 20 common and not-so-common rootkits and monitors the integrity of dozens of important binutils.
-- Will you help us, Mulder?
Yeah, Scully. The answer is out there. Out there...! ;)
Best regards, Gediminas mailto:lists@kryptis.lt
---
Boris Lorenz