Add "IDS" command to freebsd-update. This was present in the original

version of freebsd-update, but I took it out when I rewrote everything and added FreeBSD Update to the base system because I didn't think it was useful. It turns out that quite a few people liked it and wanted it back. Requested by: Royce Williams + others MFC after: 2 weeks
svn path=/head/; revision=181142
2008-08-02 00:09:41 +00:00 · 2008-08-02 00:09:41 +00:00 · 08e23bee1a · 2020-12-20 02:59:44 +00:00
commit 08e23bee1a
parent 2cc8ab2a83
2 changed files with 264 additions and 2 deletions
--- a/usr.sbin/freebsd-update/freebsd-update.8
+++ b/usr.sbin/freebsd-update/freebsd-update.8
@ -132,6 +132,9 @@ case there are any special steps needed for upgrading.
 Install the most recently fetched updates or upgrade.
 .It Cm rollback
 Uninstall the most recently installed updates.
+.It Cm IDS
+Compare the system against a "known good" index of the
+installed release.
 .El
 .Sh TIPS
 .Bl -bullet
@ -144,6 +147,14 @@ to /etc/crontab will check for updates every night.
 If your clock is set to UTC, please pick a random time
 other than 3AM, to avoid overly imposing an uneven load
 on the server(s) hosting the updates.
+.It
+In spite of its name,
+.Cm
+IDS should not be relied upon as an "Intrusion Detection
+System", since it if the system has been tampered with
+it cannot be trusted to operate correctly.
+If you intend to use this command for intrusion-detection
+purposes, make sure you boot from a secure disk (e.g., a CD).
 .El
 .Sh FILES
 .Bl -tag -width "/etc/freebsd-update.conf"
--- a/usr.sbin/freebsd-update/freebsd-update.sh
+++ b/usr.sbin/freebsd-update/freebsd-update.sh
@ -56,6 +56,7 @@ Commands:
  upgrade      -- Fetch upgrades to FreeBSD version specified via -r option
  install      -- Install downloaded updates or upgrades
  rollback     -- Uninstall most recently installed updates
+  IDS          -- Compare the system against an index of "known good" files.
 EOF
 	exit 0
 }
@ -86,7 +87,8 @@ EOF

 CONFIGOPTIONS="KEYPRINT WORKDIR SERVERNAME MAILTO ALLOWADD ALLOWDELETE
    KEEPMODIFIEDMETADATA COMPONENTS IGNOREPATHS UPDATEIFUNMODIFIED
-    BASEDIR VERBOSELEVEL TARGETRELEASE STRICTCOMPONENTS MERGECHANGES"
+    BASEDIR VERBOSELEVEL TARGETRELEASE STRICTCOMPONENTS MERGECHANGES
+    IDSIGNOREPATHS"

 # Set all the configuration options to "".
 nullconfig () {
@ -222,6 +224,13 @@ config_IgnorePaths () {
 	done
 }

+# Add to the list of paths which IDS should ignore.
+config_IDSIgnorePaths () {
+	for C in $@; do
+		IDSIGNOREPATHS="${IDSIGNOREPATHS} ${C}"
+	done
+}
+
 # Add to the list of paths within which updates will be performed only if the
 # file on disk has not been modified locally.
 config_UpdateIfUnmodified () {
@ -375,7 +384,7 @@ parse_cmdline () {
 			;;

 		# Commands
-		cron | fetch | upgrade | install | rollback)
+		cron | fetch | upgrade | install | rollback | IDS)
 			COMMANDS="${COMMANDS} $1"
 			;;

@ -692,6 +701,91 @@ rollback_check_params () {
 	fi
 }

+# Perform sanity checks and set some final parameters
+# in preparation for comparing the system against the
+# published index.  Figure out which index we should
+# compare against: If the user is running *-p[0-9]+,
+# strip off the last part; if the user is running
+# -SECURITY, call it -RELEASE.  Chdir into the working
+# directory.
+IDS_check_params () {
+	export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)"
+
+	_SERVERNAME_z=\
+"SERVERNAME must be given via command line or configuration file."
+	_KEYPRINT_z="Key must be given via -k option or configuration file."
+	_KEYPRINT_bad="Invalid key fingerprint: "
+	_WORKDIR_bad="Directory does not exist or is not writable: "
+
+	if [ -z "${SERVERNAME}" ]; then
+		echo -n "`basename $0`: "
+		echo "${_SERVERNAME_z}"
+		exit 1
+	fi
+	if [ -z "${KEYPRINT}" ]; then
+		echo -n "`basename $0`: "
+		echo "${_KEYPRINT_z}"
+		exit 1
+	fi
+	if ! echo "${KEYPRINT}" | grep -qE "^[0-9a-f]{64}$"; then
+		echo -n "`basename $0`: "
+		echo -n "${_KEYPRINT_bad}"
+		echo ${KEYPRINT}
+		exit 1
+	fi
+	if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then
+		echo -n "`basename $0`: "
+		echo -n "${_WORKDIR_bad}"
+		echo ${WORKDIR}
+		exit 1
+	fi
+	cd ${WORKDIR} || exit 1
+
+	# Generate release number.  The s/SECURITY/RELEASE/ bit exists
+	# to provide an upgrade path for FreeBSD Update 1.x users, since
+	# the kernels provided by FreeBSD Update 1.x are always labelled
+	# as X.Y-SECURITY.
+	RELNUM=`uname -r |
+	    sed -E 's,-p[0-9]+,,' |
+	    sed -E 's,-SECURITY,-RELEASE,'`
+	ARCH=`uname -m`
+	FETCHDIR=${RELNUM}/${ARCH}
+	PATCHDIR=${RELNUM}/${ARCH}/bp
+
+	# Figure out what directory contains the running kernel
+	BOOTFILE=`sysctl -n kern.bootfile`
+	KERNELDIR=${BOOTFILE%/kernel}
+	if ! [ -d ${KERNELDIR} ]; then
+		echo "Cannot identify running kernel"
+		exit 1
+	fi
+
+	# Figure out what kernel configuration is running.  We start with
+	# the output of `uname -i`, and then make the following adjustments:
+	# 1. Replace "SMP-GENERIC" with "SMP".  Why the SMP kernel config
+	# file says "ident SMP-GENERIC", I don't know...
+	# 2. If the kernel claims to be GENERIC _and_ ${ARCH} is "amd64"
+	# _and_ `sysctl kern.version` contains a line which ends "/SMP", then
+	# we're running an SMP kernel.  This mis-identification is a bug
+	# which was fixed in 6.2-STABLE.
+	KERNCONF=`uname -i`
+	if [ ${KERNCONF} = "SMP-GENERIC" ]; then
+		KERNCONF=SMP
+	fi
+	if [ ${KERNCONF} = "GENERIC" ] && [ ${ARCH} = "amd64" ]; then
+		if sysctl kern.version | grep -qE '/SMP$'; then
+			KERNCONF=SMP
+		fi
+	fi
+
+	# Define some paths
+	SHA256=/sbin/sha256
+	PHTTPGET=/usr/libexec/phttpget
+
+	# Set up variables relating to VERBOSELEVEL
+	fetch_setup_verboselevel
+}
+
 #### Core functionality -- the actual work gets done here

 # Use an SRV query to pick a server.  If the SRV query doesn't provide
@ -2705,6 +2799,157 @@ rollback_run () {
 	echo " done."
 }

+# Compare INDEX-ALL and INDEX-PRESENT and print warnings about differences.
+IDS_compare () {
+	# Get all the non-matching lines.
+	sort -k 1,1 -t '|' < $1 > $1.sorted
+	comm -13 $1 $2 |
+	    fgrep -v '|-||||||' |
+	    sort -k 1,1 -t '|' |
+	    join -t '|' $1.sorted - > INDEX-NOTMATCHING
+
+	# Ignore files which match IDSIGNOREPATHS.
+	for X in ${IDSIGNOREPATHS}; do
+		grep -E "^${X}" INDEX-NOTMATCHING
+	done |
+	    sort -u |
+	    comm -13 - INDEX-NOTMATCHING > INDEX-NOTMATCHING.tmp
+	mv INDEX-NOTMATCHING.tmp INDEX-NOTMATCHING
+
+	# Go through the lines and print warnings.
+	while read LINE; do
+		FPATH=`echo "${LINE}" | cut -f 1 -d '|'`
+		TYPE=`echo "${LINE}" | cut -f 2 -d '|'`
+		OWNER=`echo "${LINE}" | cut -f 3 -d '|'`
+		GROUP=`echo "${LINE}" | cut -f 4 -d '|'`
+		PERM=`echo "${LINE}" | cut -f 5 -d '|'`
+		FLAGS=`echo "${LINE}" | cut -f 6 -d '|'`
+		HASH=`echo "${LINE}" | cut -f 7 -d '|'`
+		LINK=`echo "${LINE}" | cut -f 8 -d '|'`
+		P_TYPE=`echo "${LINE}" | cut -f 9 -d '|'`
+		P_OWNER=`echo "${LINE}" | cut -f 10 -d '|'`
+		P_GROUP=`echo "${LINE}" | cut -f 11 -d '|'`
+		P_PERM=`echo "${LINE}" | cut -f 12 -d '|'`
+		P_FLAGS=`echo "${LINE}" | cut -f 13 -d '|'`
+		P_HASH=`echo "${LINE}" | cut -f 14 -d '|'`
+		P_LINK=`echo "${LINE}" | cut -f 15 -d '|'`
+
+		# Warn about different object types.
+		if ! [ "${TYPE}" = "${P_TYPE}" ]; then
+			echo -n "${FPATH} is a "
+			case "${P_TYPE}" in
+			f)	echo -n "regular file, "
+				;;
+			d)	echo -n "directory, "
+				;;
+			L)	echo -n "symlink, "
+				;;
+			esac
+			echo -n "but should be a "
+			case "${TYPE}" in
+			f)	echo -n "regular file."
+				;;
+			d)	echo -n "directory."
+				;;
+			L)	echo -n "symlink."
+				;;
+			esac
+			echo
+
+			# Skip other tests, since they don't make sense if
+			# we're comparing different object types.
+			continue
+		fi
+
+		# Warn about different owners.
+		if ! [ "${OWNER}" = "${P_OWNER}" ]; then
+			echo -n "${FPATH} is owned by user id ${P_OWNER}, "
+			echo "but should be owned by user id ${OWNER}."
+		fi
+
+		# Warn about different groups.
+		if ! [ "${GROUP}" = "${P_GROUP}" ]; then
+			echo -n "${FPATH} is owned by group id ${P_GROUP}, "
+			echo "but should be owned by group id ${GROUP}."
+		fi
+
+		# Warn about different permissions.  We do not warn about
+		# different permissions on symlinks, since some archivers
+		# don't extract symlink permissions correctly and they are
+		# ignored anyway.
+		if ! [ "${PERM}" = "${P_PERM}" ] &&
+		    ! [ "${TYPE}" = "L" ]; then
+			echo -n "${FPATH} has ${P_PERM} permissions, "
+			echo "but should have ${PERM} permissions."
+		fi
+
+		# We don't warn about different file flags, since sysinstall
+		# doesn't seem to set these when it installs FreeBSD.
+
+		# Warn about different file hashes / symlink destinations.
+		if ! [ "${HASH}" = "${P_HASH}" ]; then
+			if [ "${TYPE}" = "L" ]; then
+				echo -n "${FPATH} is a symlink to ${P_HASH}, "
+				echo "but should be a symlink to ${HASH}."
+			fi
+			if [ "${TYPE}" = "f" ]; then
+				echo -n "${FPATH} has SHA256 hash ${P_HASH}, "
+				echo "but should have SHA256 hash ${HASH}."
+			fi
+		fi
+
+		# We don't warn about different hard links, since some
+		# some archivers break hard links, and as long as the
+		# underlying data is correct they really don't matter.
+	done < INDEX-NOTMATCHING
+
+	# Clean up
+	rm $1 $1.sorted $2 INDEX-NOTMATCHING
+}
+
+# Do the work involved in comparing the system to a "known good" index
+IDS_run () {
+	workdir_init || return 1
+
+	# Prepare the mirror list.
+	fetch_pick_server_init && fetch_pick_server
+
+	# Try to fetch the public key until we run out of servers.
+	while ! fetch_key; do
+		fetch_pick_server || return 1
+	done
+ 
+	# Try to fetch the metadata index signature ("tag") until we run
+	# out of available servers; and sanity check the downloaded tag.
+	while ! fetch_tag; do
+		fetch_pick_server || return 1
+	done
+	fetch_tagsanity || return 1
+
+	# Fetch INDEX-OLD and INDEX-ALL.
+	fetch_metadata INDEX-OLD INDEX-ALL || return 1
+
+	# Generate filtered INDEX-OLD and INDEX-ALL files containing only
+	# the components we want and without anything marked as "Ignore".
+	fetch_filter_metadata INDEX-OLD || return 1
+	fetch_filter_metadata INDEX-ALL || return 1
+
+	# Merge the INDEX-OLD and INDEX-ALL files into INDEX-ALL.
+	sort INDEX-OLD INDEX-ALL > INDEX-ALL.tmp
+	mv INDEX-ALL.tmp INDEX-ALL
+	rm INDEX-OLD
+
+	# Translate /boot/${KERNCONF} to ${KERNELDIR}
+	fetch_filter_kernel_names INDEX-ALL ${KERNCONF}
+
+	# Inspect the system and generate an INDEX-PRESENT file.
+	fetch_inspect_system INDEX-ALL INDEX-PRESENT /dev/null || return 1
+
+	# Compare INDEX-ALL and INDEX-PRESENT and print warnings about any
+	# differences.
+	IDS_compare INDEX-ALL INDEX-PRESENT
+}
+
 #### Main functions -- call parameter-handling and core functions

 # Using the command line, configuration file, and defaults,
@ -2765,6 +3010,12 @@ cmd_rollback () {
 	rollback_run || exit 1
 }

+# Compare system against a "known good" index.
+cmd_IDS () {
+	IDS_check_params
+	IDS_run || exit 1
+}
+
 #### Entry point

 # Make sure we find utilities from the base system