checkroot

trusted root file system verification for openSUSE



Short Description:

checkroot is the first tool to retrieve file checksums online and therefore allows a trusted verification of your root file system at least as far as you can trust your internet connection or the verification medium (DVD, BD, etc.). It constitutes a major advancement towards tools like rpm -Va or debsums, because neither debsums nor rpm -Va (rpm --verify -a) use private keys and signed package headers prior to package verification. That way a cracker can simply modify the checksums locally. rpm --verify -a does not even report if the signature of a package has been invalid.

It has initially been meant as a pre-replacement for an ready-to-download checksum list of all known files for openSUSE like that is already available for Windows and MacOS to a limited extent in order to be supported by the openSUSE build system: vote for it; discuss about it .



Downloads:
checkroot v1.6 .tar.gz
checkroot v1.5 .tar.gz
checkroot v1.1 .tar.gz
checkroot v0.9 .tar.gz

new improvements: see changelog
Authors Email
Elmar Stellnberger estellnb@elstel.org
Michael Schroeder mls@suse.com

cross reference: checkroot for Debian and Ubuntu *** more up to date; read this ***

hints and description:

      The tool works like the following: On your hard disk md5sum lists for all files belonging to packages installed via rpm are stored in your rpm database so that it should be possible to detect file alterations. However a cracker can modify these md5sum lists along with the files he has modified. To prevent this the header of all packages are signed by a private gpg-key/fingerprint. The good thing about this tool is that it verifies the header with the public key prior to acessing the md5sum list in the header. If the verification of the header fails the tool can re-download a fresh header (slower than just having to access the hard disk). If you do not trust some of the keys (the private keys could have been stolen) you can choose to re-download the header of every installed package by the -n option. However this either requires a fully updated system or will otherwise not work for external repos like Packman. The tool fetches the master keys stored in the gpg-pubkey package on every run so that you will either need internet access or an installation strictly bounded to offline resources like your install-DVD.

current issues of interest:

    Future Improvements
  • use the new sha-256 lists instead of the old md5sums
  • guess mount point of non browsable repos
  • suggest upgrades where package header not available in current version any more
  • further beta testing required!
    TODOs for openSUSE-Project
  • try to keep at least the headers of old packages in repos; these files need not be indexed. This will require a modification of the build service and accomodations for Packman as well.
  • offer a boot option 'all files cached to memory' for the openSUSE live CD (for users who don`t have a second USB/IDE/eSATA DVD drive.)
  • provide a newer version of yum for opensuse or offer a distribution-synchronization option for zypper

In regards of further questions or discussions concerning the future developement of checkroot you may use the openSUSE-security@openSUSE.org mailing list; in questions of support write me a letter to estellnb@elstel.org.

*** other interesting content from elstel ***


usage hints:

When using checkroot first make sure that your rpm is not compromised at best by booting from a CD. If you just wanna test it you may run it directly. Nonetheless you will need your install DVD to initially retrieve the primary gpg-pubkeys and to verify core packages for which the signature has been deemed invalid. If you have booted from live-media instead of the rescue console of your installation dvd and you do not have a second CD-ROM drive you will either need to remove your boot DVD (needed a boot option: 'all files cached to memory') or mount -o loop a disk image of your dvd which should be sha256-sumed first (note that md5sums and sha1sums are no more deemed secure.). This is necessary since many packages in the oss and non-oss online repos are only available in a different version/release flavour. Besides this the keys could primarily be downloaded as well so that you may suffice without the install-DVD for future releases as long as all signatures are valid. If this tool should attain interest it shall be included in the rescue console of the install DVD so that this does not pose a problem any longer.

Before you go ahead in rebooting from a clean system make sure that your system is properly updated by running  ’zypper up’. This will be especially important for external repos like Packman or libdvdcss since these repos do not distribute patches but simply replace packages by newer versions of them. If it should be necessary to re-download a package header because its signature could not be verified the newest version needs to be already installed. The headers for elder packages will no more be available. Note that a  zypper up  does actually more than the openSUSE-updater gui panel applet because it can also install upgrades. If you wanna make sure that signatures for all packages are available online (i.e. when checking with -n) install yum and update with the distribution-sync option. That will downgrade or remove any package no more available in the desired version.

This tool is based on rpm --verify. The output is roughly the same as for  rpm --verify -a  just that it is by default written to a file called verrified.annot and that file verification lines are annotated by the package they stem from. Addtionally the second column is a - rather than being left out for average files (special files: c - config, d - doku, g - auto created ghost file that is not intially unpacked) which makes parsing and querying of the output easier. rpm -Va lists a lot of files since just a change in the time stamp (T) can cause a file being listed. Interesting are those files whose content has changed (S-size, 5-md5sum, L-link, D-Device node). These files are put into verified-interesting.annot. If any changes to special core files usually altered by a rootkit have been detected the verification stamps of these files can be found in verified-rootkit.annot (All candidate files for this can be found in rootkit.files at first).

As soon as you have booted make sure that your install DVD is mounted. Unpack checkroot.tar.gz into a directory on path or in any other directory of your choice (only precondition: all files need to reside in the same dir). Change to an empty directory for the described output files to reside. Make sure you have fully mounted the root partition with write permission (as well as /usr /boot and /var if you should have them separately). Write access is needed to refresh the public gpg-keys/fingerprints (unless you use the -n option for downloading all package headers which is more slowly). Run  ’checkroot rootdir’  as root (or checkroot --help first). You may want to use the -d option if you wanna trust package headers signed with DSA (a crackable encryption algorithm). After checkroot has finished you may want to run  checkroot --restoregpgkeys rootdir  to keep the old gpg-keys rather than the set of newly fetched gpg-keys. Note that the newly fetched keys contain also keys for repos that have already been deleted because packages from these repos may still be installed.

ouptut:
verified-interesting.annot .... files which have changed
verified-rootkit.annot ... core files which have changed
unchecked.lis ... packages which could not be verified

   back        

   up        



changelog

  get informed about site updates via rss!  (right click: add with Akregator)