Plugin to check MD5 sum on certain files

[Andreas Ericsson]

Dan Stromberg wrote:
> On Fri, 2004-11-05 at 16:47, Andreas Ericsson wrote:
> 
>>Dan Spray wrote:
>>
>>>A long time ago I used Big Brother for monitoring.  They had a check that I
>>>could use where I had pasted the md5sum value into a text file, burned it
>>>onto CD and then the current md5sum of a particular file was checked against
>>>the known good copy.  I would like to get something else like this again
>>>only using Nagios.
>>>
>>>What I am after is if someone gets in and changes say the /bin/ls command
>>>that I would know about it before just finding that the command doesn't work
>>>anymore.
>>>
>>
>>Putting only the checksum files on non-writable media is just an 
>>exercise in futility, because anyone shrewd enough to replace your ls 
>>will be shrewd enough to replace your md5sum program as well. Putting 
>>the md5sum program as well on the disk won't work either, because with 
>>enough access to overwrite files in /usr/bin they would also be able to 
>>change the script that's supposed to run or its configuration, or 
>>unmount the CD and put any file they want in the directory it was 
>>mounted under (or create a loopback filesystem and mount read-only to 
>>simulate a CD) or... Well, I'm sure you see the point.
> 
> 
> I believe this would be difficult - generating a trojaned ls with the
> same md5 sum.  md5 is designed to distribute small bits of a file, from
> all over within that file, across different parts of the digest.
> 

You're attacking the wrong end of the problem. If someone can trojan 
some of your binaries, they can trojan ALL your binaries (assuming 
you're not a complete idiot who have given write permissions away on 
some of your $PATH directories to non-root users).

A trojaned md5sum program would not report the proper md5sum, but rather 
some hardcoded value which the attacker retrieves from the 'real' ls and 
compiles in to the new md5sum program. If you can't trust one root-owned 
mode 755 binary, you can't trust any other either. It's as simple as that.

> It's not like you can just assume a one to one mapping, or tack some
> crud on the end.

I know perfectly well how md5 hashing works. I also know that what 
you're trying to implement is utterly useless unless you run everything 
off some non-writable media. It just won't work. Worse, it will create a 
false sense of security, so a possible attacker can hang on to your 
system for a much longer period once properly compromized.

> 
> Granted, md5 has been broken in limited circumstances for cryptographic
> purposes.
> 

There is one known collision, yes.

> But if you were to combine md5 -and- sha-1, it'll be a -very- long time
> before anyone forges a trojan with the magic digests.
> 

Not if the magic digests are reported falsely from a trojaned checksum 
creation program.

If you still don't see my point, sit down with a security expert of your 
choice and have them explain it to you.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null