Re: how run pkg_check with a trusted kernel (a bit of forensics) and how to check kernel integrity.

Sun, 07 Apr 2019 05:25:55 -0700 

On Saturday, April 6, 2019 3:30 PM, Marc Espie <[email protected]> wrote:

> On Sun, Mar 31, 2019 at 03:24:58PM +0000, Cord wrote:
>
> > Hi,
> > I'd like to run pkg_check but from a live usb stick. This because I want to 
> > run a trusted kernel.
> > Maybe I just need to mount the root, mount the other slices and chroot 
> > /bin/ksh ?
> > Also¹, is there a way to download all the installed pkg and check the signs 
> > from them ?
> > Also² , how can I check the kernel integrity ?
> > thank you.
>
> What you're asking for is highly underspecified.
>

I try to explain what I want to do. If I have a kernel rootkit there could be 
some hidden file or the kernel rootkit module itself or some altered binary.
Then I want to boot from a usb stick with installed openbsd that should be 
clean and trusted. Then work with this kernel on the "maybe infected openbsd 
installation" but in a chroot environment. I mean from inside the infected 
system but with the kernel of the live trusted usb stick. Then the first job to 
do is run pkg_check to check the integrity of the installed packages, with 
sha256 hash. pkg_check can also show me the extraneous file with the flag -F. 
Anyway the hashes of the all files that come with the packeage could be altered 
or missing then I'd like to download all the installed packages and extract the 
original and trusted hashes. Then check again the "maybe infected system" to 
verify the integrity from what is installed and what should be installed.
After that I want make some other check. Something like aide or other hids but 
in more basic way:
find / -type f -exec sha256 '{}' ';' >> mysystem.sha256
from three different point of view:
- from the runtime system
- from the live usb stick
- from the live usb stick in a chroot environment
then check the differences from the three snapshot.
Anyway the problem is the kernel. I mean the bare kernel file could not be the 
original.. could be patched and all my previous check could not show anything. 
And because of the relinkg of the kernel I cannot just download a original 
kernel and check the differences with the installed one. Then I ask how can I 
check that the installed kernel  is trusted ?

> You would have to explain your trust model in detail, and what you intend
> to store away for later checking.
>
> A "trusted kernel" won't protect you from a fishy userland in any way...

for fishy you mean a generic userland malware  or anything more specific ?


Thank you, Cord

Reply via email to