Section 15.7 Store the RPM Database Checksums

   


15.7 Store the RPM Database Checksums

The Red Hat Package Manager, RPM, has a very useful feature for validating all the files in the installed packages for correctness by comparing their permissions, ownership, and MD5 checksums to those stored in RPM's database. You might find this feature handy if you later suspect a compromise. Rather than spending hours restoring the RPM database from backup at 3 A.M. the night before your daughter is in her first play, prepare this in advance. Pop a floppy in the drive and issue the following commands:

 
 rmdir /mnt2 ln -s / /mnt2 md5sum /mnt2/bin/rpm /mnt2/var/lib/rpm/* > /rpm.md5 /bin/rm /mnt2 tar -cvf /dev/fd0 /rpm.md5 mkdir /mnt2 chmod 755 /mnt2 

The reason for this /mnt2 stuff is that after you suspect that the system has been compromised, you will not be trusting any file on it and so will have booted from Rescue Disks. In Part IV of this book, the step-by-step procedure for recovery is discussed, of which one phase is to mount the normal root file system as /mnt2.


Pop the floppy out, write protect it, label it, sign it (important because someone will be trusting it later), and date it. To see what the heck I am talking about, see "Speeding Up the Check with RPM" on page 700. If you plan to use this useful and easy technique, you will want to test it prior to that 3 A.M. page. Like with anything else you want to work when you need it, you first want to test all of this. Rather than actually taking your real system down, you might want to experiment first on a test system. For the first tests you do not even need to reboot because this is a fine use of chroot.

15.7.1 Custom Rescue Disks

The root disk of a rescue disk set is a gziped file system image. To create your own rescue disk world for testing of the custom rescue disks that you are creating, pop the root rescue disk into the floppy drive and issue these commands as root. It is assumed that there is an empty directory at /mnt2. Make use of the loopback device to mount an ordinary file as a file system. The features discussed are not specific to Red Hat and its derivatives, except rpm. In this exercise, you are adding md5sum to your rescue disk but this technique can be used to add anything else that might be needed to a rescue disk. Note the use of "/." at the end of /mnt2/usr/bin to ensure that this directory already exists, which prevents accidentally creating a file of this name rather than a file in this directory.

Space is very limited, however, so you might need to remove programs that you will not need, though this must be done carefully. If you want to add more than a few things, it will be better to put them on a separate tar-format floppy and extract them into the created RAMDISK after booting. Note that the second argument to chroot is the pathname of the program to run relative to the root of the chrooted environment and chroot does not do a cd.

 
 cd /root dd bs=9k if=/dev/fd0 | gunzip > rescue mount /root/rescue /mnt2 -o loop cp /usr/bin/md5sum /mnt2/usr/bin/. cd /mnt2 $SHELL chroot /mnt2 /bin/sh /usr/bin/md5sum /usr/bin/md5sum: not found ls -l /usr/bin/md5sum -rwxr-xr-x 1 root root 26304 Jun  1 22:31 /usr/bin/md5sum exit 

Rats. When the executable is there but it fails to run with an error message of not found, frequently the problem is a missing dynamic library. This is why we are doing this testing. Note, too, the use of $SHELL to get a subshell for chroot testing to avoid the need to exit and su again (or use a root chroot exploit). A

 
 ldd /usr/bin/md5sum 

then showed that this rescue disk was built with a slightly older dynamic libc. The solution in this case is to consult the Linux Administrators Guide and build some up-to-date rescue disks or link against the older library. When you are ready to build your custom rescue disk root floppy, after having added md5sum and having exited out of the chrooted shell, the following will work:

 
 cd /root umount /mnt2 gzip rescue dd bs=9k if=rescue.gz of=/dev/fd0 cmp rescue.gz /dev/fd0 

   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net