The tool mtree can be used like the well known tripwire to detect trojan horsed files. With the additions in NetBSD 1.4 mtree becomes even more usefull, especially on a firewall.
All three BSD variants contain a tool called mtree. This tool is able to compare whole directory trees against a specification. Any file whose characteristics do not match the specification will trigger a message written to standard out. You can also generate a md5-checksum for each file.
To detect system binaries that have been trojan horsed you should run mtree on the file system you are interested on like:
mtree -s <no> -x -c -K cksum -K md5 -p /your/path > usrspec
where <no> is a difficult to guess number used as seed. With that option mtree will generate a single checksum that represent all of the files for which the keyword cksum was specified. This single checksum will be printed on standard err. You should note this number and store it offline.
If a later run of mtree: mtree -f usrspec generates a different single checksum you should compare your filesystem against your original specification userspec which you hopefully also saved offline. With the help of that specification you should be able to detect which file was modified or trojan horsed.
The mtree utility of NetBSD 1.4 was modified by Matthew Green to be aware of the file flags (for example schg, sappnd) and Alexandre Wennmacher added two flags to mtree that can be specifically used to set/unset the flags schg and sappnd. The purpose of these changes can be seen in the following scenario1:
A hacker managed to break into your system and was even able to gain root. In a first step he tries to cover up his traces by changing the log files /var/log/messages, /var/log/wtmp, and /var/log/authlog. He has no chance: they are sappnd. The next step would typically be to replace some system binaries with Trojan Horses. But this won't work on a flags protected system. Decepted the hacker tries to erase your system: /bin/rm -rf /. No, this won't work either (except for the user data, a backup might still be a good idea).
A more clever hacker will probably try to unset the schg and sappnd flags. But if you are running your system with securelevel=2 he has to take down your system in single user mode to change these flags. Doing so will disrupt his network connection to your system. So this won' t work too.
Unfortunately there will be some impact on system administration. You may still do some system administration while in multiuser mode (like adding users), but most of the more critical work has to be done at single user mode. It's upon you to decide whether you want ease of administration or security.
You have also to disable the log file rotation of newsyslog if you want to use the sappnd flag for /var/log and the log files in this directory.
Now, to use this on FreeBSD you have first to get the mtree-stuff from NetBSD 1.4 and to compile and install it on your system. This requires only minor changes on the Makefile and in one header file.
Get the NetBSD-mtree either from NetBSD or from here. If you take the second link the changes for FreeBSD are already done otherwise you have to change the Makefile and remove the include of <stat_flags.h> in extern.h.. You should copy mtree.tgz to /usr/src/src.sbin. Than do:
% cd /usr/src/usr.sbin
% su
# mv mtree mtree.old
# tar -zxvf mtree.tgz
# cd mtree
# make && make install
You are done. But check if there is an old manpage under $MANPATH/cat8, because the new one is only installed under $MANPATH/man8. If you find an old mtree.8.gz under $MANPATH/cat8 remove it.
In the directory /etc/mtree you will find specifications for your newly installed FreeBSD. To check a distribution run for example:
For every file differing from the original distribution a message will be printed to standard out.
Set the schg and sappnd flags and permissions in the filesystem you want to the secured. Be also sure to disable the log rotating by newsyslog if you have set /var/log to sappnd.
To make changes to your filesystem(s) impossible change the securelevel:
sysctl -w securelevel=2
If you do not set the securelevel while booting, which is higly recommended, a reboot is sufficient, to come back to securelevel=-1. Otherwise you have to boot to single user mode. Then you can unset your flags using:
You can get a tripwire-like functionality with the built-in mtree. When using the mtree from NetBSD 1.4 you are even able to lock up your filesystems preventing even someone with root access from changing your system files.
The best would be if the FreeBSD project would take over NetBSD's mtree version. I will propose this change via a sendpr-request.
1The following was taken nearly unmodified from A. Wennmacher's proposal.
2Change this number, and store it offline