>> The only thing that I have found about it is: >> "DS Compare the system against a "known good" index of the installed >> release.'" > > As well as freebsd-update(8), the FreeBSD base system includes > mtree(8) - which can be used to generate and check file hashes. Other > tools, such as tripwire, are available in the ports tree. >
As far as I am informed freebsd generates the checksums right after installation. However this is absolutely useless for a tool like checkroot that aims at an online checksum verification. > On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elms...@gmail.com> wrote: >> I believe it would be highly desireable to have an online md5sum >> verification for FreeBSD as this is already implemented by checkroot >> (http://www.elstel.com/checkroot/) for openSUSE. > > You are welcome to adapt your tool to support FreeBSD and have it > included in the ports system. Could anyone help me in how to obtain online cheksums (md5 or better sha1) for the files of every installed package? > > That said, it's unclear that your tool offers any benefits over > the freebsd-update(8) tool that is part of the FreeBSD base system. > You seem to be really ignorant about the issues I have pointed out about online/offline cheksums: * offline cheksums require some security tool having been installed in advance. Most users simply don`t have tripwire or sth. else installed but are nonetheless possible targets for crackers. * offline cheksums are very tedious to maintain: They require a full system verification in advance to any new update being followed by a new checksum backup If you just forget that once you can throw your system away. Now do also think about applying a single update or about updating regularely which should be recommended for reasons of security. > Note that an > intruder could equally easily modify the checkroot executable unless > it is also stored on read-only media. Yes I have clearly pointed this out on my web site. The tool will of course not be useful as long as it is not invoked fromout of a boot CD. Concerning me I do always have a current boot CD handy - and be it just for reinstalling the boot loader. > > I notice that your tool only appears to store MD5 hashes - I presume > you are aware that the MD5 algorithm has been shown to have a number > of weaknesses and is not recommended for new applications. This > is why FreeBSD has moved to using a combination of MD5 and SHA256. Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5) for FreeBSD. For openSUSE I had to use what has been available. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
