4

In information security, integrity means that data cannot be modified undetectably.

This answer raised my interest, of course, I want to guarantee the integrity of my OS, outlined here. Suppose a security camera project where you store every photo to a folder. I used fswebcam -program, crontab and some bash scripts to automatically to shoot photos. I did it for second-hand store on very low budget, re-used old laptops and old cameras, and with limitations such as no internet connection. I am unsure whether the os, obsd, offers some extra features not in use which I could use, perhaps some sort of paranoia mode. Basically, each comp had clearly predefined schedule: take a photo (execute a script, ...), save it to a file, ... -- if anything different, alarm. I don't know whether there is any way to freeze the rest of the os in a way that it is totally unusable in other services. Some of the laptops could be shooters while one laptop could be a receiver or core data center.

  • How can you do it with obsd laptops that can work in concert?
  • How could you guarantee the integrity of the OS so that no picture cannot be removed or if removed it will leave traces?
  • In which mode would you put a shooter and a receiver obsds? Are they in different modes and why?

Related but not the same

  1. favourite integrity monitoring software?
  2. Verifying server software integrity?
Community
  • 1
  • You might consider asking at Security Stack Exchange. I don't know of anything off-the-shelf except perhaps on Solaris if you have a TPM. (Purely software solutions are possible too. I'm too tired to write a cogent answer right now.) – Gilles 'SO- stop being evil' Mar 24 '11 at 00:43
  • You can start by trying tools like Tripwire that use checksums and their own "database" for checking if specific system files have been modified. – sakisk Mar 24 '11 at 08:28
  • Security.stackexchange.com could be better location for this. – Rory Alsop Mar 24 '11 at 12:23
  • @hhh this is too generic. Please word your question to be less generic. This is Unix/Linux not SuperUser, ServerFault, or Security. I notice you've tagged this openbsd, is this question about guaranteeing the integrity of OpenBSD? which would definitely be ontopic. – xenoterracide Mar 24 '11 at 12:26
  • @xeno It used to say "My preference is OpenBSD, but I am interested in general about the integrity of OSs as well.", but he deleted it for some reason – Michael Mrozek Mar 24 '11 at 14:14
  • 2
    @xenoterracide: @Michael Mrozek: @Rory Alsop: the focus is very narrow, only on obsd. Initially, I thought it would be ok to compare/contrast to other OSs but the danger is getting too broad answers. I deliberately deleted any misleading statements because I don't want bloated answers, they must be more specific. –  Mar 24 '11 at 15:52
  • @hhh to avoid generic and overly broad answers I woould suggest modifying your question to clarify just in openbsd – xenoterracide Mar 24 '11 at 23:36
  • Related to this here about moving backend logic to userspace, extremely stupid idea without proper precautions. –  Jun 18 '12 at 09:26

4 Answers4

3

Unless you can block unauthorized access to the OS and hardware, I don't see how anyone could guarantee the integrity of any system without using only Write-Once storage.

MattBianco
  • 3,704
  • 2
    @MathBinanco: +1 good point, there is an illusion of security or not at all without physical security but ... this is getting too broad, could you tell how related to obsd? –  Mar 24 '11 at 15:50
  • 1
    @hhh: Afraid not :-( The only thing I know about security is that I know too little to claim that I can design something that is secure. At best I can make things "more secure". Have you asked at http://security.stackexchange.com/ ? – MattBianco Mar 25 '11 at 08:33
3

If you don't need physical security, and even for a subset of physical attackers, it seems to me OpenBSD could do it unless there is a perfect storm of bugs and poorly chosen world-accessible services that can allow running arbitrary code in kernel mode.

Read up on chflags(1). They allow keeping even root from modifying or deleting files. Basically setting sappnd to your photo directory and moving securelevel(7) to -> 2 would do the job. You should secure everything else(with special care for partitions not marked as noexec and nodev and rc scripts) as well, but even if you messed up, the system has to be rebooted in order to remove the flags from existing photographs.

Combined with something like this It'd be hard not to notice someone is attempting to tamper with your photos.

The snapshot taking machines could be locked further as they don't even need to write to disk(other than system logs).

1

Just an off-the-side idea for your particular example and to keep things simple: you could send off-site a hash of every picture (if you cannot afford the whole picture).

Make sure that the off-site service has "add" capability only (and read of course), i.e. that the source system cannot remove existing records.

Lastly have a trip-wire style off-site script to compare the source server with the off-site hash history.

Not sure this answers your question, but to me there is no easy way to absolutely guarantee one system's integrity without having recourse to the outside world (third-party). Even then it cannot be a 100% guarantee ever, but at least you are significantly reducing the risks of all systems being compromised.

asoundmove
  • 2,495
  • You can have integrity guarantees from a self-contained system. One method is to use tamper-proof hardware (in practice, tamper-resistant hardware, e.g. a TPM). Another method is to have the OS check its own integrity and authenticate itself to you. It's possible in principle but I don't know what implementations exist. – Gilles 'SO- stop being evil' Mar 24 '11 at 00:47
  • 1
    @Gilles, Sure but you almost must go into military grade stuff for that. Few, if any, general purpose platforms would be suitably built (at a reasonable cost) with the type of integrity the OP seems to want. Even banks aren't that secure. Where I work we have full disk encryption, strong password failure handling policies, password change policies and no admin control over our computers, so I guess it would not take too much to provide meaningful integrity checks, but this is not your run of the mill configuration. – asoundmove Mar 24 '11 at 01:17
  • 1
    Many PCs have TPMs now. Zfs has integrity checking features (IIRC only CRCs in the default configuration, for performance, but you can change that to cryptographic integrity checks). That leaves authentication, which isn't high-tech, just needs to be done right. – Gilles 'SO- stop being evil' Mar 24 '11 at 08:20
  • this is a good idea but the project had one limitation: the network connection was very unreliable or non-existent. I am unsure how I should try to achieve OS integrity in such environment, perhaps the WORMs are the way to go. –  Mar 24 '11 at 16:20
  • @hhh, I know nothing about WORMs so I can't advise. But isn't the simplest write-once read-many system simply called a writeable CD-ROM or DVD-ROM? The problem you have to deal with then is the physical protection of the media, plus know the tricks to read sessions when a new session overrides a previous one (it is quite easy with basic cd/dvd reader tools). Sure capacity is not huge, but cost is tiny. – asoundmove Mar 25 '11 at 02:40
1

You don't necessarily need OS level integrity for the application you describe - you could just use a Write Once Read Many drive (WORM) which physically will not allow any file to be deleted/overwritten.

Alternately, you can buy machines with TPM for not too much money (still more than buying a WORM drive)

Or use tripwire in conjunction with a chrooted environment.

Rory Alsop
  • 2,063
  • 15
  • 30
  • 1
    good point, perhaps my goal about "OS integrity" is a pipe-dream, not sure yet -- let's see if someone knows more about the topic. –  Mar 24 '11 at 15:58
  • @hhh - you misunderstand. It is straightforward and you can buy hardware and software to do this off the shelf. My question was around whether that was the most appropriate approach for what you are doing. – Rory Alsop Mar 24 '11 at 18:23
  • yes it sounds very promising but I want to use obsd and is it really 4k USD for 7GB (found used WORM drive in eBay)? If I can recall right, even with low picture density (about 1 photo per 3-15 second) and with small-bit-size pictures, 7 GB won't last that long, becoming uneconomical. I feel setting up an outside server and securing the internet connection would become much cheaper with tripwire or some hash matching. Or is there some cheap large-sized WORM disks available? Have to investigate the TPM option, you mean this: http://en.wikipedia.org/wiki/Trusted_Platform_Module? –  Mar 24 '11 at 19:03