Security Incidents mailing list archives
Re: clean binaries
From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Tue, 7 Nov 2000 13:05:41 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 6 Nov 2000, pW wrote:
What is the best way to make a disk full of clean binaries so that should a machine be compromised you can use system binaries that you know are clean as opposed to using the ones on the system that may be compromised. Basically I am looking for the best way to get a CD full of binaries such as ifconfig, ps, login, and so on... the systems are already in production so I would prefer getting them from somewhere else because I don't want to assume that these systems are completely clean.
First and foremost, any such binaries should be static binaries. That said, the method I use is thus: 1. Get trusted media for the OS in question. 2. Get a trusted compiler (*slight pause while Solaris users groan*). 3. Get trusted source tarballs. 4. Install OS, compiler and load tarballs on a non-networked machine. 4. Compile your favorite utilities and install. 5. Run tripwire[1] on the system and get the hashes on all necessary binaries. (Store on a floppy, PGP-sign the contents, copy and write-protect the floppy.) 6. Copy all needed binaries to a selected directory and burn a copy of that directory's contents to CD-ROM. You may also wish to look into The Coroner's Toolkit by Dan Farmer and Wietse Venema. See http://www.porcupine.org/forensics/ for more info. As an alternative approach, you could always dd the drives of the breached system and inspect the data by mounting that drive to your forensics system. - -Jay [1] The Advanced Intrusion Detection Environment (AIDE) or CryptoMark (I'd love to get my hands on even a Beta copy of that!) will also suffice. ( ______ )) .--- "There's always time for a good cup of coffee" ---. >===<--. C|~~| (>-------- Jay D. Dyson -- jdyson () treachery net --------<) | = |-' `--' `----------- My other car is a Sparc Ultra. -----------' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOghuqdCClfiU/BIVAQEixAP+NktHgFfI4pNOgibhPth7GM4KjeVzkiDV dp5bLkujSRhmRbEfNa+Wszz+qGSiK7RVVmohCKxfmgedDLajbl6uawsRFqu5bPlB t3y4FG0BDDiYEyDGyGRjxhujPjtRetO/p6glGoqzNos2YLsTFyZZg9q+5SMskahG zezOoi2TC8Y= =VP8j -----END PGP SIGNATURE-----
Current thread:
- clean binaries pW (Nov 08)
- Re: clean binaries Jay D. Dyson (Nov 08)
- Re: clean binaries Tim Walberg (Nov 08)
- Re: clean binaries Mike Parkin (Nov 08)
- Re: clean binaries //Stany (Nov 08)
- Re: clean binaries Rob Shein (Nov 09)