Invariant Properties

  • rss
  • Home

System Integrity Checks Using Debian/Ubuntu Package Metadata

Bear Giles | April 6, 2011

I have time to post a few notes while waiting for Norton to finish a complete scan of my Windows 7 system….

In a well-managed Debian/Ubuntu system everything that is not under /home will be under package management control. Okay, that’s a gross overstatement even though it feels that way at times. The actual split is

/bin, /sbin, /lib, /usr – package management. (Note: /usr/local should be symlinked into /var/local.)

/boot – package management (plus grub conffile)

/dev – package management

/etc – package management plus conffiles

/home, /root – no package management

/media, /mnt, /proc, /tmp – transient and without package management

/opt – ideally under local package management

The /var partition is a catchall mess although it’s getting better.  In general it won’t be under package management beyond the creation of directory structures.

All Debian and Ubuntu packages contain metadata that is written into the /var/lib/dpkg/info directory. Specifically we’re interested in three files:

<package>.list – a list of files and directories provided by the package.

<package>.md5sums – a list of md5 checksums for the files provided by the package.

<package>.conffiles – a list of configuration files that are provided by the package but are routinely edited by the system administrator.

Now here’s the key point: Every file under /bin, /boot, /lib, /usr, /etc, should be ‘owned’ by exactly one package and it should either have the specified MD5 checksum or be a designated conffile for that package. We can use the package metadata to find files that have been modified. We can use the package metadata to find files that shouldn’t be there. We can use the package metadata to find files that are missing.

This will be even easier with Ubuntu 11.04 when conffile .override files are introduced. These files allow the conffile to be overridden without actually requiring it to be modified. This will make it trivial to capture the customization of a system – just grab all of the .override files.

In practice there’s usually a bit of cruft but it’s easy to handle them with local packages.

At first glance this sounds like it’s just a second way to implement ‘tripwire’ but there’s a huge difference – provenance. If I use ‘tripwire’ I have no reason to trust the initial set of files. That’s not the case with package metadata – if I’m lazy I’ll just use the files under /var/lib/dpkg/info but if I’m careful I’ll pull the package metadata directory from the binary package. It’s easy – a Debian/Ubuntu package is just a Unix ‘ar’ archive containing two compressed tarballs, one for the static content (‘data.tar.gz’) and one for the metadata (‘control.tar.gz’)). If I’m really paranoid I’ll verify the cryptographic signatures on the packages.

This approach isn’t foolproof, e.g., a rootkit or compromised libc library can still cause me to miss compromised files. But it gives me better warm+fuzzies than the traditional tripwire approach.

There’s one other neat thing you can do with this approach. As I mentioned earlier the binary packages contain a compressed tarball of the static content. You can use this to verify the ownership and permissions on all files. In practice you would only use it to check ‘unusual’ permissions, e.g., every SUID or SGID file.

Important reminder

An important reminder – you should not trust the standard find and md5sum programs. At the least use a statically linked copies, ideally from a read-only location like a CD-ROM or NFS mount exported read-only.

Categories
linux, security
Comments rss
Comments rss
Trackback
Trackback

« Smart content + virus information = bad combo Quick Security Finds »

One Response to “System Integrity Checks Using Debian/Ubuntu Package Metadata”

  1. A pain in the backdoor -- The importance of package integrity checks | Metafor Software says:
    January 3, 2014 at 2:34 am

    […] of your package manager to check integrity, but few take the time to set this up. Take a look at this blog by Bear Giles for a taste of what’s involved. As he mentioned: “At first glance this sounds […]

    Log in to Reply

Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

Archives

  • May 2020 (1)
  • March 2019 (1)
  • August 2018 (1)
  • May 2018 (1)
  • February 2018 (1)
  • November 2017 (4)
  • January 2017 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • February 2016 (3)
  • January 2016 (6)
  • December 2015 (2)
  • November 2015 (3)
  • October 2015 (2)
  • August 2015 (4)
  • July 2015 (2)
  • June 2015 (2)
  • January 2015 (1)
  • December 2014 (6)
  • October 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (1)
  • June 2014 (2)
  • May 2014 (2)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (3)
  • January 2014 (6)
  • December 2013 (13)
  • November 2013 (6)
  • October 2013 (3)
  • September 2013 (2)
  • August 2013 (5)
  • June 2013 (1)
  • May 2013 (2)
  • March 2013 (1)
  • November 2012 (1)
  • October 2012 (3)
  • September 2012 (2)
  • May 2012 (6)
  • January 2012 (2)
  • December 2011 (12)
  • July 2011 (1)
  • June 2011 (2)
  • May 2011 (5)
  • April 2011 (6)
  • March 2011 (4)
  • February 2011 (3)
  • October 2010 (6)
  • September 2010 (8)

Recent Posts

  • 8-bit Breadboard Computer: Good Encapsulation!
  • Where are all the posts?
  • Better Ad Blocking Through Pi-Hole and Local Caching
  • The difference between APIs and SPIs
  • Hadoop: User Impersonation with Kerberos Authentication

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Pages

  • About Me
  • Notebook: Common XML Tasks
  • Notebook: Database/Webapp Security
  • Notebook: Development Tips

Syndication

Java Code Geeks

Know Your Rights

Support Bloggers' Rights
Demand Your dotRIGHTS

Security

  • Dark Reading
  • Krebs On Security Krebs On Security
  • Naked Security Naked Security
  • Schneier on Security Schneier on Security
  • TaoSecurity TaoSecurity

Politics

  • ACLU ACLU
  • EFF EFF

News

  • Ars technica Ars technica
  • Kevin Drum at Mother Jones Kevin Drum at Mother Jones
  • Raw Story Raw Story
  • Tech Dirt Tech Dirt
  • Vice Vice

Spam Blocked

53,793 spam blocked by Akismet
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox