A crude system verification method

July 31, 2008

Suppose that you have a system that you are not entirely confidant of, and you want to look to see if bits of it have been modified from stock. The easiest way is to use your packaging system's verification support, but let us suppose that your package system doesn't have support for this (or at least that the support is optional and not installed at the moment).

If you happen to have another theoretically identical system lying around (as we do), you can do a crude system verification with rsync:

rsync -n -a --delete -IOc root@hostA:/usr/ /usr/

Here hostA should be the machine that you want to verify, not the machine that you want to verify it against. It also assumes that you can do ssh root logins to hostA. Some of these options are not obvious; -O makes rsync ignore changed directory times, while -I and -c forces rsync to always checksum files to check to see if they're different, instead of trusting the size and the timestamp.

(Package systems generally don't reset the directory modification time when they update programs in a directory, so directories like /usr/bin can naturally have different timestamps on different machines. Ignoring them saves you from drowning in noise.)

This isn't likely to work on Linux machines that use prelinking, because prelinking can create different binaries even on machines with identical package sets.

Disclaimer: as a crude verification method, this should only be used if you are mostly confidant in the system to start with. If you are not, remember the zeroth law of compromised systems.


Comments on this page:

From 83.145.204.27 at 2008-08-04 04:10:28:

A very platform-specific note, but since I am now a happy system administrator of few NetBSD machines, I have been highly intrigued by their veriexec-framework.[1] It is sort-of "half-baked mandatory access control framework" or "half-IPS", providing, among other things, in-kernel file integrity subsystem; each file is fingerprinted once and the hashes are then compared by the kernel in real-time.[2]

I think the idea behind veriexec is very similar to what you are after. (Practical usefulness and implementation details can be another thing.)

- Jukka.

[1] http://netbsd.gw.com/cgi-bin/man-cgi?security++NetBSD-current

[2] http://www.netbsd.org/docs/guide/en/chap-veriexec.html

Written on 31 July 2008.
« SSL's identity problem
One reason that it is so hard to challenge Google »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Thu Jul 31 23:28:05 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.