Elmar Stellnberger wrote:
The only thing that I have found about it is:
"DS Compare the system against a "known good" index of the installed
release.'"
As well as freebsd-update(8), the FreeBSD base system includes
mtree(8) - which can be used to generate and check file hashes. Other
tools, such as tripwire, are available in the ports tree.
As far as I am informed freebsd generates the checksums right after
installation. However this is absolutely useless for a tool like
checkroot that aims at an online checksum verification.
On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elms...@gmail.com>
wrote:
I believe it would be highly desireable to have an online md5sum
verification for FreeBSD as this is already implemented by checkroot
(http://www.elstel.com/checkroot/) for openSUSE.
You are welcome to adapt your tool to support FreeBSD and have it
included in the ports system.
Could anyone help me in how to obtain online cheksums (md5 or better
sha1) for the files of every installed package?
That said, it's unclear that your tool offers any benefits over
the freebsd-update(8) tool that is part of the FreeBSD base system.
You seem to be really ignorant about the issues I have pointed out about
online/offline cheksums:
* offline cheksums require some security tool having been installed in
advance.
Most users simply don`t have tripwire or sth. else installed but are
nonetheless
possible targets for crackers.
* offline cheksums are very tedious to maintain:
They require a full system verification in advance to any new update
being followed
by a new checksum backup
If you just forget that once you can throw your system away.
Now do also think about applying a single update or about updating
regularely
which should be recommended for reasons of security.
Note that an
intruder could equally easily modify the checkroot executable unless
it is also stored on read-only media.
Yes I have clearly pointed this out on my web site. The tool will of
course not be useful as long as it is not invoked fromout of a boot CD.
Concerning me I do always have a current boot CD handy - and be it just
for reinstalling the boot loader.
I notice that your tool only appears to store MD5 hashes - I presume
you are aware that the MD5 algorithm has been shown to have a number
of weaknesses and is not recommended for new applications. This
is why FreeBSD has moved to using a combination of MD5 and SHA256.
Yes, we should use SHA-1 (or possibly a combination of SHA-1 and MD5)
for FreeBSD.
For openSUSE I had to use what has been available.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
all that is not to say it's a bad idea, just that people
are interested to see what the advantages are etc.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
