On Thu, 2010-03-11 at 09:13 -0800, Roger Marquis wrote:
> Elmar Stellnberger wrote:
> > I believe it would be highly desireable to have an online md5sum
> > verification for FreeBSD as this is already implemented by checkroot
>
> This is not difficult to do on a per-host basis using integrit, cron and
> optionally md5 with mail, ftp or scp.
>
> > (http://www.elstel.com/checkroot/) for openSUSE. This is often the only
> > way to spot an intrusion.
>
> Unlike SuSE and Solaris, FreeBSD is most often compiled on the local
> host. Wouldn't that make global checksums relatively useless?
>
The second most common way I have seen packages installed is off
of one's own build server.
With the "official" packages, being used by people new to
FreeBSD.
The thing that makes people love FreeBSD is that the source that
compiled your program is right there and easy to get up to speed
on to change things, with the Make files providing a lot of
usually helpful hints.
personally, a tripwire that was friendlier to website admins
would be really nice.
Which this somewhat tries to be, but it fails in the sense that
it does not deal with /etc/make.conf
This might actually be a reasonable business model, free if you
are using debian/centos/opensuse/"official" FreeBSD packages,
and a small annual fee to host your own checksums.
I have about 2% of my debian packages that would fail checksums
because I modified the source before compiling them.
To make your problem worse when you leave the confines of
opensuse, there is a debian utility called apt-build that
fetches the pkg source and builds it and installs the deb much
like freeBSD ports.
You are going to have similar problems with Gentoo.
binaries compiled -O vs -O2 produce different binaries, in the
x86 world, you can make a binary compatible with processor N and
higher, each of which produces a different checksum, for most,
but not all programs.
tripwire has clearly not progressed very quickly, and is not
used as much as it probably should be.
Also, the FreeBSD group tends to be pretty merciless in pointing
out when you make a mistake, (I made several with vinum).
Don't be discouraged, but the problem is bigger than Elmar seems
to have been assuming, but that is what make life fun, right?
Micheas
> Roger Marquis
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
--
Habit is habit, and not to be flung out of the window by any man, but coaxed
down-stairs a step at a time.
-- Mark Twain, "Pudd'nhead Wilson's Calendar
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
