Re: clean binaries

["Jay D. Dyson" <jdyson () TREACHERY NET>]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 6 Nov 2000, pW wrote:

> What is the best way to make a disk full of clean binaries so that
> should a machine be compromised you can use system binaries that you
> know are clean as opposed to using the ones on the system that may be
> compromised. Basically I am looking for the best way to get a CD full of
> binaries such as ifconfig, ps, login, and so on... the systems are
> already in production so I would prefer getting them from somewhere else
> because I don't want to assume that these systems are completely clean.

        First and foremost, any such binaries should be static binaries.
That said, the method I use is thus:

        1.      Get trusted media for the OS in question.

        2.      Get a trusted compiler (*slight pause while Solaris
                users groan*).

        3.      Get trusted source tarballs.

        4.      Install OS, compiler and load tarballs on a non-networked
                machine.

        4.      Compile your favorite utilities and install.

        5.      Run tripwire[1] on the system and get the hashes on all
                necessary binaries.  (Store on a floppy, PGP-sign the
                contents, copy and write-protect the floppy.)

        6.      Copy all needed binaries to a selected directory and
                burn a copy of that directory's contents to CD-ROM.

        You may also wish to look into The Coroner's Toolkit by Dan Farmer
and Wietse Venema.  See http://www.porcupine.org/forensics/ for more info.

        As an alternative approach, you could always dd the drives of the
breached system and inspect the data by mounting that drive to your
forensics system.

- -Jay

[1]  The Advanced Intrusion Detection Environment (AIDE) or CryptoMark
     (I'd love to get my hands on even a Beta copy of that!) will also
     suffice.

   (                                                              ______
   ))   .--- "There's always time for a good cup of coffee" ---.   >===<--.
 C|~~| (>-------- Jay D. Dyson -- jdyson () treachery net --------<) |   = |-'
  `--'  `----------- My other car is a Sparc Ultra. -----------'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOghuqdCClfiU/BIVAQEixAP+NktHgFfI4pNOgibhPth7GM4KjeVzkiDV
dp5bLkujSRhmRbEfNa+Wszz+qGSiK7RVVmohCKxfmgedDLajbl6uawsRFqu5bPlB
t3y4FG0BDDiYEyDGyGRjxhujPjtRetO/p6glGoqzNos2YLsTFyZZg9q+5SMskahG
zezOoi2TC8Y=
=VP8j
-----END PGP SIGNATURE-----