From mboxrd@z Thu Jan 1 00:00:00 1970 From: dian_cecht@zoho.com Subject: Re: Thoughts on GuixSD and IDS like AIDE and Tripwire Date: Tue, 3 Jan 2017 08:36:11 -0800 Message-ID: <20170103163611.GA7802@khaalida> References: <20161231132814.GA25102@khaalida> <20170101065609.GA4651@mail.thebird.nl> <20170102152426.GA29868@khaalida> <877f6d85aw.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49350) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOS4S-0000U6-O0 for guix-devel@gnu.org; Tue, 03 Jan 2017 11:36:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOS4O-0007h3-If for guix-devel@gnu.org; Tue, 03 Jan 2017 11:36:20 -0500 Received: from sender-pp-092.zoho.com ([135.84.80.237]:25413) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cOS4O-0007gC-BJ for guix-devel@gnu.org; Tue, 03 Jan 2017 11:36:16 -0500 Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 3e38b2d1 for ; Tue, 3 Jan 2017 16:36:11 +0000 (UTC) Content-Disposition: inline In-Reply-To: <877f6d85aw.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org On Mon, Jan 02, 2017 at 11:28:55PM +0100, Ludovic Courtès wrote: > Hi! > > dian_cecht@zoho.com skribis: > > > P.S. On second thought (and after a cup of coffee), could the database file be > > generated using the same format programs like md5sum, sha1sum, et al use so we'd > > just have to run (for example) md5sum -C database? > > That sounds like a good idea to complement ‘guix publish’ + ‘guix > challenge’. > > A simple way to dump the database is like this: > > --8<---------------cut here---------------start------------->8--- > $ sudo sqlite3 /var/guix/db/db.sqlite > SQLite version 3.14.1 2016-08-11 18:53:32 > Enter ".help" for usage hints. > sqlite> select path,hash from validpaths; > /gnu/store/98xcn26354r70nyamkgywqzjxvw3qikx-guile-2.0.9.tar.xz|sha256:a475e4bad3d39a94f01c590f239e80dbd84688e480ca74de3e335f6f36a0d975 > /gnu/store/hyh7kwkqlxc0x9s8cs5mjnih5v524486-make-impure-dirs.patch|sha256:d697a02be5fea425ac93eb650b1359e3e8053d84f70677c8c0a80291ed03585e > /gnu/store/hv15hq91vm3ajv23lkq0kgd56d4kmd08-findutils-absolute-paths.patch|sha256:c4fc83e01a7f448b598905bcf6ca39b5ba0f1f0f131145b379f0de9c2fbe109b > […] > --8<---------------cut here---------------end--------------->8--- > > (Of course you have to trust the database to contain the right hashes in > the first place.) > > Ludo’. That is part of the reason I also suggest an external utility, and ideally one that is simple enough that people could (re)implement it in their language of choice (so that what and where the script is is generally unknown/unknowable/really hard to find, as well as much more difficult to compromise via simple methods such as patching). Heck, since your normal user can read the store, one should be able to reasonably compare the currently stored database to something the user has generated via # Please note that I'm not 100% sure this is correct. I don't think you'd want # to include .link files, but I'm unable to find a quick way in the minute or # two I wrote this to avoid them. Plus I'd expect some things to be checksumed # that don't really need it. $ find /gnu/store/ -type f -print0 | xargs -0 sha256sum or something similar, given that sha256sum isn't compromised. Once the two are known to be in sync (ideally with some form of external verification, and by external I mean booting and mounting the system under a Known Good liveUSB or similar and checking the database against the system's sha256sum as well as the liveUSB's Known Good version), then comparing to another person's checksum dump (ideally someone you know properly checks their system via the aforementioned or better method) to try and catch potential unwanted modification. The obvious problem would be removing entries for programs known to not have a deterministic build (which makes all of this entirely moot for said program), and hope they aren't compromised and aren't Very Important to the system.