Re: how to check the validity of a running daemon on Linux

[Valdis . Kletnieks]

On Thu, 27 Jan 2005 15:33:49 +1300, ych43 said:

>   Does anybody know how to check the validity of a deamon. which runs on Linux 
> -platform host . This daemon can save some information in a log file of the 
> host. I mean that if an attacker compromises this host and gets root access, 
> he can replace this daemon with a rogue version. Therfefore, the information 
> saved on the log file is incorrect. So how can I check the validity of the 
> daemon to show this  daemon is correct version and not a rogue version. So I 
> trust the information saved on the host.

If you trust your kernel, there's several ways:

1) There's Tripwire and Aide (http://aide.sf.net) for cronjob-style checking
of your system.

2) There's the DigSig patches, and Fedora kernels have a 'modsign' patch, both of
which use digital signatures checked at exec() time to prevent tampering.  I
haven't checked whether either of those will detect the case of subverting the
daemon by means of code that's actually in some libshared.so rather than
modifying the daemon binary itself.

If you don't trust your kernel (for instance, if you suspect that the attacker
has loaded a kernel module that hides his activities - building your kernel
without module support does *NOT*, repeat *NOT* stop this attack), your only
choice is to boot from known trusted media (a CD-based rescue disk or Knoppix
or similar) and compare the binary that's on your system to a "known good"
copy on the CD.

This of course requires that you trust your system BIOS.  If you don't trust
that, you're on your own.  I hear tin foil is on sale down at the local market ;)

Attachment: pgp00000.pgp
Description: PGP signature