23. Solaris Fingerprint Database

Sun Microsystems offer a MD5 fingerprint database at their sunsolve.sun.com site. This can be used to test the integrity of utilities and libraries in a Solaris installation and answer the question — are these files trojanned? For reliable results, mount the susect filesystems as slave after booting from clean media.

There are two ways to use the system: simply enter MD5 values into the form on the web page and these will be checked for you. For example, To use this facility, simply obtain the MD5 checksum by some means (e.g., by using /opt/md5/md5-sparc, for example). Following are two examples. First, /usr/bin/netstat:

 41f06010aba241ea34e86a130fded6d4 -  - 2 match(es)

        * canonical-path: /usr/bin/netstat
        * package: SUNWcsu
        * version: 11.7.0,REV=1998.09.01.04.16
        * architecture: sparc
        * source: Solaris 7/SPARC 

        * canonical-path: /usr/bin/netstat
        * package: SUNWcsu
        * version: 11.7.0,REV=1998.10.06.00.59
        * architecture: sparc
        * source: Solaris 7/SPARC 
Second, /bin/ps:
 120397cfdd451d448d3094042e7c473b -  - 1 match(es)

        * canonical-path: /usr/lib/isaexec
        * package: SUNWcsu
        * version: 11.7.0,REV=1998.10.06.00.59
        * architecture: sparc
        * source: Solaris 7/SPARC
        * patch: 106541-40 
In the second case, a generic answer is produced — as long as some result of this type is returned, the file is genuine (see the Sunvolve-provided FAQ for details).

To help checking large numbers of files, Sun make the complete MD5 list available for download as a compressed tar file.

...previousup (conts)next...



About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple