[Semibug] Problem with mtree

Jonathan Drews jondrews at fastmail.com
Thu Apr 27 20:39:34 EDT 2023 

On Thu, Apr 27, 2023 at 11:59:33PM +0200, Aaron Lopez wrote:
> Hi Jonathan,
> 
> did you get this working in the end? It seems very interesting so it would
> be nice to know if you did progress with mtree. I would like to try it out
> sooner or later. I originally read about it at
> https://docs.freebsd.org/en/books/handbook/security/#security-ids but never
> got to try it out. I just happened to come across this other link as well:
> https://calomel.org/ids_mtree.html in which the author wrote a small shell
> script to implement a small IDS with mtree.
> 
 I did get this working. I did su -l to gain root access from a normal
account and issued the command:

# mtree -cK sha256digest > /root/root24Apr2023.mtree

and it recorded normally. I then stored root24Apr2023.mtree on a
backup hard drive.

Here are the differences between mtree -cK sha256digest and mtree -ck
sha256digest:

only lists the sha256digest like so:
$ mtree -ck sha256digest > mtreeTest.mtree

#          user: cleetus
#       machine: Leo.my.domain
#          tree: /home/cleetus/bin/scripts/KornShellTutorial/chp6
#          date: Thu Apr 27 18:10:54 2023

# .
/set type=file
.               type=dir
    ContinueTest.ksh \

sha256digest=d2505f2c3b8a13a8338b1a8389d8fbf13d86e4a096dc9973596738648be67f44

However the capital K switch lists the file information too:

$ mtree -cK sha256digest > mtreeTest.mtree

#          user: cleetus
#       machine: Leo.my.domain
#          tree: /home/cleetus/bin/scripts/KornShellTutorial/chp6
#          date: Thu Apr 27 18:12:25 2023

# .
/set type=file uid=1000 gid=1000 mode=0750 nlink=1
.               type=dir nlink=2 time=1682640506.504620205

do you see the UID, GID and  permissions?

According to Spafford and Garfinkel you need to record a check to see
that the contents of the file are not changed (the sha256digest) but
also the metadata (the file permissions and UID/GID).

See man -s 8 mtree of OpenBSD's man pages. The book "Practical Unix &
Internet Security, 3rd Edition" by  Simson Garfinkel and  Gene
Spafford has a good introduction to Intrusion detection methods in
chapter 21. Also take a look at the OpenBSD man page on security (man
-s 8 security) .

I hope to get Peter N. Hansteen to give a talk in June. I should write
him and ask him to do a presentation on OpenBSD securityas the topic.

--
Kind regards,
Jonathan

More information about the Semibug mailing list