Mike Denka wrote: > Thanks for all the responses to my original query. It's pretty clear > that I missed the md5 encryption on newer versions of Red Hat which is > what got me sweating in the first place. > > Thanks also for all the suggestions for checking file integrity on Red > Hat machines. Looks like rpm verification and tripwire are the only > options next to having a non-connected machine with a fresh install > somewhere to compare against. Too bad. Not that those are terrible > options, but the Solaris Fingerprint database > (http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool. > Maybe someday we'll have similar tools for our favorite open source > O/S's. > > Mike Mike, An MD5 checksum of the files is exactly what rpm -V does. All you have to do to get the same effect is keep a copy of your package files on read-only media (i.e. burn a CD and keep it in the machine), and run the rpm -Vp against it from cron each night. Obviously you'll have to update the CD each time a package is updated in the errata. A CD-RW disk would probably be good for this purpose (making sure it's mounted in a CD-ROM drive, not a burner) - matter of fact, i might try that next time i get a chance. :-) A simple workaround to Stephen's suggestion that the rpm command could have been modified is to keep a (preferably statically-linked) copy of the rpm executable on the CD and run that instead of the copy in /bin. Obviously, someone could remove your script from the cron configuration if the system was compromised, but there's no way of avoiding that. Regards, Paul > -----Original Message----- > From: Stephen Smoogen [mailto:smoogenat_private] > Sent: Friday, June 28, 2002 9:42 AM > To: Mike Denka > Cc: incidentsat_private > Subject: Re: 33 character encrypted passwords in /etc/shadow > > If the 33 character passwords look like: > > $1$blahblahblahblahblah > > then the passwords are using M5sum instead of old DES passwords. > Depending on the version of Red Hat Linux you are running this can come > from using the authconfig command and turning on MD5sum passwords. > > If the password is in the form of > $2$blahblahblahblahblah > > then it is a blowfish algorithm which I think only OpenBSD supports > currently (but my data is old on this). > > The simplest way of checking your machine on Red Hat is to do a > > rpm -Va > > and look at the output. This checks the binaries on the system with what > was listed in the RPM database. This is a very simple check and prone to > being gotten around by good crackers. The next is to do the following: > > If the machine has a cdrom, and you have the original media.. mount the > cdrom and do the following: > > rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM > > so on my 7.3 machine: > > smoogen:{RPMS}$ rpm -qf /usr/bin/passwd > passwd-0.67-1 > root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm > > This will give you assurance that the packages as installed from Red Hat > Linux are there. However it will not tell you about packages/files that > arent in RPM database... or if the rpm command itself had been altered.. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 11:43:57 PDT