Re: clean binaries

[//Stany <stany () NOTBSD ORG>]

On Mon, 6 Nov 2000, pW wrote:

> Hello all...
>
> What is the best way to make a disk full of clean binaries so that should
> a machine be compromised you can use system binaries that you know are
> clean as opposed to using the ones on the system that may be
> compromised. Basically I am looking for the best way to get a CD full of
> binaries such as ifconfig, ps, login, and so on... the systems are already
> in production so I would prefer getting them from somewhere else because I
> don't want to assume that these systems are completely clean.

Hrm.
One thing I have to point out is that ideally you would want a statically
compiled binaries.  If that's not possible (statically compiling under
Solaris can sometimes be a pain) at all, make sure to have some sort of
script that would set LD_PRELOAD to the directory on CD  where you have
placed the libraries.

Besides the library routines that can be compromized, don't forget about
the kernel loadable modules.  Even if you have a non-patched ps, and
non-patched libc, that the cracker have not modified, what prevents him
from convincing your kernel to lie to your innocent, not corrupt binaries?
;-)

On some systems, like on Solaris SPARC, it might be easier to just force a
kernel crash dump to dump the entire memory snapshot to disk, and boot off
a custom made cd, or even just an external hard drive with all the tools,
and recover the crash dump from the swap partition on the original boot
drive.

> Is it best to get these from the installation media that was used to
> install all of the systems?

Depends.  Again, if you applied patches to the system after it have been
installed, or ever "make world", you are likely to not have on the hard
drive the same binaries as were installed.  *shrug*  So it might just make
sense to have the most current at the time you made the CD.

If you are hopeing to do a comparison, using md5sum or sum of the
checksums of the binaries on the hard drive against the ones on CD, it's
not going to help much ether if you patched or rebuilt the system, and did
not keep your CD up to date.  However if you use Solaris, not everything
is lost, as Sun does have a database of fingerprints on-line at
<http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl>, thanks to Casper
Dik, Alec Muffett & Vasanthan Dasan.

So my recomendation would be to use an external bootable hard drive[0] on
the systems that do support detach/reattach of the scsi devices
(Solaris/SPARC[1], OpenBSD/sparc) and modified environment variables, and
taking a snapshot of the memory through a crashdump on the systems that
support it (Solaris/OpenBSD), and using post-mortem tools, like lsof, adb,
Sun's internal "act", and heck, even "strings" on the crash dump image.
The benefit of writable media here would be the convinience and the
flexibility it offers.   After the basic assessment is done, to just
reboot and boot off the external drive, and use all the custom tools to
poke the memory image and find the bits you like, while making sure that
your filesystem on the hard drive is intact, and was not modified in any
way.   If you are going for an RCMP (Canuckian police) intervention, and
want to get at the one who got into your systems, make sure that when
examining your compromized filesystems, you mount them read only, to
minimize any potential modifications to the files.

For the systems that are dumber, or do not support crashdumps (Linux),
well, a CD is your best option, as long as you remember to preload the
libraries that are on CD.  That, and lots of luck.

> any help would be appreciated!
>
> thanks

> shawn

HTH. HAND.

Signed:
//Stany

[0] This is one area where Macintoshes are much more convinient then
anything else - it's darn easy to create a folder, copy the "System"
suitcase and the "Finder" into it, and have a bootable system.  Especially
if you remember to select "Install support for any Macintosh" at the time
of the installation, as then you can boot any Mac that that OS revision
support off that hard drive.

[1] For those of you who are not sure how to re-create a device entries
on Solaris short of "boot -r", take a peek into
/etc/init.d/{drvconfig|devlinks}



--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+--------+ My words are my own.  LARTs are provided free of charge. +---------+