------- Forwarded message follows -------
Date sent: Tue, 7 Nov 2000 16:40:36 -0500
Send reply to: //Stany <[email protected]>
From: //Stany <[email protected]>
Subject: Re: clean binaries
Originally to: pW <[email protected]>
To: [email protected]
On Mon, 6 Nov 2000, pW wrote:
> Hello all...
>
> What is the best way to make a disk full of clean binaries so that
> should a machine be compromised you can use system binaries that you
> know are clean as opposed to using the ones on the system that may
> be compromised. Basically I am looking for the best way to get a CD
> full of binaries such as ifconfig, ps, login, and so on... the
> systems are already in production so I would prefer getting them
> from somewhere else because I don't want to assume that these
> systems are completely clean.
Hrm.
One thing I have to point out is that ideally you would want a
statically compiled binaries. If that's not possible (statically
compiling under Solaris can sometimes be a pain) at all, make
sure to
have some sort of script that would set LD_PRELOAD to the
directory on
CD where you have placed the libraries.
Besides the library routines that can be compromized, don't forget
about the kernel loadable modules. Even if you have a non-patched ps,
and non-patched libc, that the cracker have not modified, what
prevents him from convincing your kernel to lie to your innocent, not
corrupt binaries? ;-)
On some systems, like on Solaris SPARC, it might be easier to just
force a kernel crash dump to dump the entire memory snapshot to disk,
and boot off a custom made cd, or even just an external hard drive
with all the tools, and recover the crash dump from the swap partition
on the original boot drive.
> Is it best to get these from the installation media that was used to
> install all of the systems?
Depends. Again, if you applied patches to the system after it have
been installed, or ever "make world", you are likely to not have on
the hard drive the same binaries as were installed. *shrug* So it
might just make sense to have the most current at the time you made
the CD.
If you are hopeing to do a comparison, using md5sum or sum of the
checksums of the binaries on the hard drive against the ones on CD,
it's not going to help much ether if you patched or rebuilt the
system, and did not keep your CD up to date. However if you use
Solaris, not everything is lost, as Sun does have a database of
fingerprints on-line at
<http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl>, thanks to
Casper Dik, Alec Muffett & Vasanthan Dasan.
So my recomendation would be to use an external bootable hard drive[0]
on the systems that do support detach/reattach of the scsi devices
(Solaris/SPARC[1], OpenBSD/sparc) and modified environment variables,
and taking a snapshot of the memory through a crashdump on the systems
that support it (Solaris/OpenBSD), and using post-mortem tools, like
lsof, adb, Sun's internal "act", and heck, even "strings" on the crash
dump image. The benefit of writable media here would be the
convinience and the flexibility it offers. After the basic
assessment is done, to just reboot and boot off the external drive,
and use all the custom tools to poke the memory image and find the
bits you like, while making sure that your filesystem on the hard
drive is intact, and was not modified in any way. If you are going
for an RCMP (Canuckian police) intervention, and want to get at the
one who got into your systems, make sure that when examining your
compromized filesystems, you mount them read only, to minimize any
potential modifications to the files.
For the systems that are dumber, or do not support crashdumps (Linux),
well, a CD is your best option, as long as you remember to preload the
libraries that are on CD. That, and lots of luck.
> any help would be appreciated!
>
> thanks
> shawn
>
HTH. HAND.
Signed:
//Stany
[0] This is one area where Macintoshes are much more convinient then
anything else - it's darn easy to create a folder, copy the "System"
suitcase and the "Finder" into it, and have a bootable system.
Especially if you remember to select "Install support for any
Macintosh" at the time of the installation, as then you can boot any
Mac that that OS revision support off that hard drive.
[1] For those of you who are not sure how to re-create a device
entries on Solaris short of "boot -r", take a peek into
/etc/init.d/{drvconfig|devlinks}
--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM]
++-------+
| "Backups we have; it's restores that we find tricky." Richard Letts
at ASR | | This message is powered by JOLT! For all the sugar and
twice the caffeine. | +--------+ My words are my own. LARTs are
provided free of charge. +---------+
------- End of forwarded message -------
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:58
search: