Security - We will get there

From ossec email list: Rob Skoog wrote: > > I recently installed OSSEC on a host and a day or two later an alert > > email showed a bunch of checksum alerts for several different files. > > > > This is one example: > > OSSEC HIDS Notification. > > 2008 Apr 01 08:40:21 > > > > Received From: gravel->syscheck > > Rule: 550 fired (level 7) -> "Integrity checksum changed." > > Portion of the log(s): > > > > Integrity checksum changed for: '/usr/bin/yelp' > > Old md5sum was: '6e1ae6c66c698178e10811ee75899931' > > New md5sum is : 'ac0c2f17040cfd072e79b138056aa71e' > > Old sha1sum was: '20334f1f9b133d3018c7cebf685f2a3c4fd78b19' > > New sha1sum is : '4f9b48a1eba833fba34d007e0aa878960ec789e8' > > > > My yum.log shows no updates after the 28th of march. > > > > So I decided to investigate further this one result picked at random. > > > > uname -a > > Linux <scrubbed> 2.6.18-53.1.6.el5 #1 SMP Wed Jan 23 11:30:20 EST 2008 > > i686 i686 i386 GNU/Linux > > > > [root@gravel log]# rpm -qf /usr/bin/yelp > > yelp-2.16.0-15.el5 > > [root@gravel log]# md5sum /usr/bin/yelp > > ac0c2f17040cfd072e79b138056aa71e  /usr/bin/yelp > > [root@gravel etc]# rpm -qf --dump /usr/bin/yelp | grep /usr/bin/yelp > > /usr/bin/yelp 227148 1180690916 150e154010e876475681c253f98b5be8 0100755 > > root root 0 0 0 X > > > > Which seems to be a third md5sum for the file based on the rpm. > > > > After removing an reinstalling the package... > > [root@gravel log]# md5sum /usr/bin/yelp > > 150e154010e876475681c253f98b5be8  /usr/bin/yelp > > [root@gravel log]# rpm -qf /usr/bin/yelp > > yelp-2.16.0-15.el5 > > [root@gravel log]# > > > > [root@gravel log]# rpm -qf --dump /usr/bin/yelp | grep /usr/bin/yelp > > /usr/bin/yelp 227148 1180690916 150e154010e876475681c253f98b5be8 0100755 > > root root 0 0 0 X > > > > Oh and on a different machine..... > > > > [rskoog@linuxtest ~]$ md5sum /usr/bin/yelp > > a4e4e21adb51e04959ad1f05f47268a2  /usr/bin/yelp > > [rskoog@linuxtest ~]$ rpm -qf /usr/bin/yelp > > yelp-2.16.0-15.el5 > > [rskoog@linuxtest ~]$ uname -a > > Linux <scrubbed> 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 > >                              EST 2008 i686 i686 i386 GNU/Linux > > [rskoog@linuxtest ~]$ rpm -qf --dump /usr/bin/yelp | grep /usr/bin/yelp > > /usr/bin/yelp 227148 1180690916 150e154010e876475681c253f98b5be8 0100755 > > root root 0 0 0 X > > > > after removing it and reinstalling though.... > > [rskoog@linuxtest ~]$ md5sum /usr/bin/yelp > > 150e154010e876475681c253f98b5be8  /usr/bin/yelp > > > > Doing an rpm -V yelp though always returns no issues with the binaries > > with different checksums. > > > > We also tried experimenting some with other files, for example: > > [root@gravel log]# md5sum /usr/bin/perl > > 9a9245039782813967a6706a45f623c6  /usr/bin/perl > > [root@gravel log]# rpm -qf --dump /usr/bin/perl | grep /usr/bin/perl > > /usr/bin/perl 11192 1194523209 e7640cdfec7a02f3d4b4c984fb20a304 0100755 > > root root 0 0 0 X > > > > Didn't have matching hashes either across machines even though the file > > size was the same. > > > > I also asked others on different networks at random to do the same thing > > with a random executable binary and they produced similar results. > > Hashes that didn't match across machines or the rpm database. > > > > Is there a fundamental understanding I'm lacking of executable binaries > > and file hashes?  Is everything I'm looking at just owned  :)  (unlikely > > we think) or do others see the same thing? > > > > The package in question was: > > bash-3.1$ rpm -qi yelp > > Name        : yelp                         Relocations: (not relocatable) > > Version     : 2.16.0                            Vendor: CentOS > > Release     : 15.el5                        Build Date: Fri 01 Jun 2007 > > 05:41:56 AM EDT > > Install Date: Thu 03 Apr 2008 09:56:44 AM EDT      Build Host: > > builder4.centos.org > > Group       : Applications/System           Source RPM: > > yelp-2.16.0-15.el5.src.rpm > > Size        : 2025109                          License: GPL > > Signature   : DSA/SHA1, Sat 02 Jun 2007 05:30:31 AM EDT, Key ID > > a8a447dce8562897 > > Summary     : A system documentation reader from the Gnome project > > Description : > > Yelp is the Gnome 2 help/documentation browser. It is designed > > to help you browse all the documentation on your system in > > one central tool. > > bash-3.1$ > > > > > > Thanks, > > Rob Skoog > > > > Spent way to much time figuring this out, but best guess at the moment is that is has to do with binaries that are prelinked. http://en.wikipedia.org/wiki/Prelinking Supposedly it modifies the binary so it can start faster, but consequently it would make the check sum change. doing a: prelink -y --md5 /usr/bin/perl gives the correct md5 hash shown in the signed rpms. Regards, Rob Skoog