Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
41424344454647484950
Solaris 9 Security CX-310-301 40
Note that the checksums match and the 1 match(es) indicates this too.
The interactive method is quite labor intensive, if you want to check a larger number of files, so you can
download the Solaris Fingerprint companion and the sidekick utility from
http://wwws.sun.com/software/security/downloads.html
This method allows a number of MD5 signatures to be generated and automatically fed to the Solaris
Fingerprint database for comparison. If any of the files being checked do not match the Sun Microsystems
version, then it has been modified or tampered with, and needs to be investigated.
Using File Listings
This is a very simple way of detecting whether additional, unexpected files have been installed on a system.
It involves storing a listing of specified directories, such as /usr/bin for example. It is not a serious deterrent
to an attacker because the file list itself could be modified by an attacker if it is left on the same system.
This method would not always detect modifications to files or programs, but would notice if new files have
been installed. It works by taking a listing of a directory, saving it to a text file, then taking the same listing
at some specified interval and running diff against the two files to highlight any differences.
Using Checksums
Checksums constitute a more secure method of detecting rootkits or backdoors, but is still relatively easy
for an attacker to overcome. This method works by listing the files in a file system and creating a checksum
for each file. The list needs to be written to a file to be compared with a future run to highlight any
differences. The main reason for this method being insecure is that many rootkits available to attackers,
also contain methods of installing Trojan files, whilst maintaining the same access times and checksums,
thereby preventing their detection by this means. The following example shows the checksum output
produced by the file /usr/bin/su:
# sum /usr/bin/su
2341 44 /usr/bin/su
Using File Digests
Using a file digest mechanism is much more secure and offers a much higher degree of confidence of
knowing whether your file system has been compromised. MD5 is a good example and works by creating a
unique ’fingerprint’ of a file. The following example shows the md5 signature created from the file
/usr/bin/su:
# ./md5-sparc /usr/bin/su
MD5 (/usr/bin/su) = 2304d7ee650512ed3c61f74a2ceb76f1