Context Navigation

HOWTO-samhain+GnuPG.html@ 558

Last change on this file since 558 was 553, checked in by katerina, 6 years ago
Fix for ticket #443 (Incompatibility with older gpg versions).
File size: 11.9 KB

Rev	Line
[1]	1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
	2	<html>
	3	<head>
	4	<title>HOWTO samhain+GnuPG</title>
	5	<style type="text/css">
	6	<!--
	7
	8	html { background: #eee; color: #000; }
	9
	10	body { background: #eee; color: #000; margin: 0; padding: 0;}
	11
	12	div.body {
	13	background: #fff; color: #000;
	14	margin: 0 1em 0 1em; padding: 1em;
	15	font-family: serif;
	16	font-size: 1em; line-height: 1.2em;
	17	border-width: 0 1px 0 1px;
	18	border-style: solid;
	19	border-color: #aaa;
	20	}
	21
	22	div.block {
	23	background: #b6c5f2; color: #000;
	24	margin: 1em; padding: 0 1em 0 1em;
	25	border-width: 1px;
	26	border-style: solid;
	27	border-color: #2d4488;
	28	}
	29
	30	div.warnblock {
	31	background: #b6c5f2; color: #000;
	32	margin: 1em; padding: 0 1em 0 1em;
	33	border-width: 1px;
	34	border-style: solid;
	35	border-color: #FF9900;
	36	}
	37
	38	table {
	39	background: #F8F8F8; color: #000;
	40	margin: 1em;
	41	border-width: 0 0 0 1px;
	42	border-style: solid;
	43	border-color: #C0C0C0;
	44	}
	45
	46	td {
	47	border-width: 0 1px 1px 0;
	48	border-style: solid;
	49	border-color: #C0C0C0;
	50	}
	51
	52	th {
	53	background: #F8F8FF;
	54	border-width: 1px 1px 2px 0;
	55	border-style: solid;
	56	border-color: #C0C0C0;
	57	}
	58
	59
	60	/* body text, headings, and rules */
	61
	62	p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
	63
	64	h1, h2, h3, h4, h5, h6 {
	65	color: #206020; background: transparent;
	66	font-family: Optima, Arial, Helvetica, sans-serif;
	67	font-weight: normal;
	68	}
	69
	70	h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
	71	h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
	72	h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
	73	h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
	74	h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
	75	h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
	76
	77	hr {
	78	color: transparent; background: transparent;
	79	height: 0px; margin: 0.6em 0;
	80	border-width: 1px ;
	81	border-style: solid;
	82	border-color: #999;
	83	}
	84
	85	/* bulleted lists and definition lists */
	86
	87	ul { margin: 0 1em 0.6em 2em; padding: 0; }
	88	li { margin: 0.4em 0 0 0; }
	89
	90	dl { margin: 0.6em 1em 0.6em 2em; }
	91	dt { color: #285577; }
	92
	93	tt { color: #602020; }
	94
	95	/* links */
	96
	97	a.link {
	98	color: #33c; background: transparent;
	99	text-decoration: none;
	100	}
	101
	102	a:hover {
	103	color: #000; background: transparent;
	104	}
	105
	106	body > a {
	107	font-family: Optima, Arial, Helvetica, sans-serif;
	108	font-size: 0.81em;
	109	}
	110
	111	h1, h2, h3, h4, h5, h6 {
	112	color: #2d5588; background: transparent;
	113	font-family: Optima, Arial, Helvetica, sans-serif;
	114	font-weight: normal;
	115	}
	116
	117	-->
	118	</style></head>
	119
	120	<body>
	121	<div class="body">
	122	<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
	123	style="text-decoration: none;"
	124	href="http://www.la-samhna.de/samhain/">samhain file integrity
	125	scanner</a> \| <a style="text-decoration: none;"
	126	href="http://www.la-samhna.de/samhain/s_documentation.html">online
	127	documentation</a></p>
	128	<br><center>
	129	<h1>Using samhain with GnuPG</h1>
	130	</center>
	131	<br>
	132	<hr>
	133	<p>
	134	This document aims to explain how to use samhain with <b>signed configuration
	135	and database files</b> which are checked by invoking GnuPG.
	136	</p>
	137	<h2>Introduction</h2>
	138	<p>
	139	Samhain can be compiled to recognize PGP signatures on configuration and
	140	database files and to invoke GnuPG in order to check such signatures.
	141	(<b>Note:</b> while the application usually is referred to as <i>GnuPG</i>,
	142	the executable itself is called <i>gpg</i>).
	143	</p>
	144	<p>
	145	If samhain is compiled with this option, then
	146	</p>
	147
	148	<ol>
	149	<li>
	150	both the <i>configuration file</i>
	151	and the <i>file signature database</i> must be signed, and
	152	</li>
	153	<li>
	154	for both files the signatures must verify correctly,
	155	</li>
	156	<li>
	157	otherwise samhain will abort.
	158	</li>
	159	</ol>
	160
	161
	162	<h2>Prerequisites</h2>
	163	<ul>
	164	<li>
	165	<p>
	166	Obviously you need <i>gpg</i> (GnuPG), and you must
	167	have created a key pair with:
	168	</p><p>
	169	<tt>   gpg --gen-key</tt>
	170	</p><p>
	171	(it does not really matter which type of key, the defaults are ok).
	172	</p><p>
	173	GnuPG uses a public-key algorithm: the key pair consists of
	174	</p>
	175	<ul>
	176	<li>
	177	a <i>secret key</i> that is
	178	used for signing and stored in <b>~user/.gnupg/secring.gpg</b>, and
	179	</li><li>
	180	a <i>public key</i> used for verifying the signature, and stored in
	181	<b>~user/.gnupg/pubring.gpg</b>.
	182	</li>
	183	</ul>
	184	<p>
	185	The secret key obviously should be
	186	kept secret, while the public key can be published.
	187	</p>
	188	</li>
	189	<li>
	190	<p>
	191	You need to compile samhain with support for GnuPG:
	192	</p><p>
	193	<tt>   ./configure --with-gpg=/path/to/gpg [more options]</tt>
	194	</p><p>
	195	</li>
	196	</ul>
	197
	198	<p>
	199	<b>Note 1:</b> If compiled with support for GnuPG,
	200	the TIGER192 checksum of the gpg
	201	executable will be compiled into samhain, and the gpg executable will
	202	be checksummed (to verify its integrity) before invoking it. If you
	203	don't like this, you should add the <i>configure</i> option:
	204	</p><p>
	205	<tt>   --with-checksum=no</tt>
	206	</p>
	207	<div class="warnblock">
	208	<p>
	209	Compiling in the GnuPG checksum will tie the samhain executable to
	210	the gpg executable. If you upgrade GnuPG, you will need to re-compile
	211	samhain. If you don't like this, use <tt>'--with-checksum=no'</tt>.
	212	</p>
	213	</div>
	214	<p>
	215	<b>Note 2:</b> The mere fact that the signature
	216	is correct does not prove that it has been signed by <i>you</i> with
	217	<i>your</i> key - it just proves that it has been signed by <i>somebody</i>.
	218	Samhain can optionally check the <i>fingerprint</i> of the key that has been
	219	used to sign the files, to verify that <i>your</i> key has been used
	220	to sign the file(s). To enable this, use the <i>configure</i> option
	221	</p><p>
	222	<tt>   --with-fingerprint=FINGERPRINT</tt>
	223	</p><p>
	224	where FINGERPRINT is the hexadecimal fingerprint of the key as listed
	225	with
	226	</p><p>
	227	<tt>   gpg --fingerprint</tt>
	228	</p>
	229
	230	<h3>Example</h3>
	231
	232	<pre style="background-color:#DDDDDD; color:#000000">
	233
	234	rainer$ gpg --fingerprint rainer
	235	pub 1024D/0F571F6C 1999-10-31 Rainer Wichmann
	236	Key fingerprint = EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
	237	uid Rainer Wichmann
	238	sub 1024g/9DACAC30 1999-10-31
	239
	240	rainer$ which gpg
	241	/usr/bin/gpg
	242
	243	rainer$ ./configure --with-gpg=/usr/bin/gpg --with-fingerprint=EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C
	244
	245	</pre>
	246
	247	<h2>Signing the files</h2>
	248	<p>
	249	The <i>configuration file</i> and the
	250	<i>file signature database</i>
	251	(created by running <tt>samhain -t init</tt>) must be signed manually
	252	using the command:
	253	</p><p>
	254	<tt>   gpg -a --clearsign --not-dash-escaped /etc/samhainrc</tt><br/>
	255	<tt>   mv /etc/samhainrc.asc /etc/samhainrc</tt>
	256	</p><p>
	257	<i>Gpg</i> will create a <i>signed copy</i> of the file,
	258	named <i>file.asc</i>.
	259	You need to <b>rename</b> (<tt>cp/mv</tt>) this signed copy
	260	to the original filename.
	261	After signing the configuration file, you can initialize the database
	262	and sign it likewise.
	263	</p>
	264	<p>
	265	<b>Note 1:</b> The installation script will ask you to
	266	sign the <i>configuration file</i> upon installation.
	267	</p><p>
	268	<b>Note 2:</b> The <i>gpg</i> option <tt>--not-dash-escaped</tt>
	269	does not harm if used with the
	270	<i>configuration file</i>, but is only required for the
	271	<i>file signature database</i>.
	272	</p>
	273
	274	<h3>TIP</h3>
	275	<p>
	276	In the subdirectory <tt>scripts/</tt> of the source directory you will find
	277	a Perl script <b>samhainadmin.pl</b> to facilitate some
	278	tasks related to the administration of signed configuration and
	279	database files (e.g. examine/create/remove signatures).
	280	Use with <i>--help</i> to get usage
	281	information.
	282	</p>
	283
	284	<h3>CAVEAT</h3>
	285	<p>
	286	When signing, the option <i>--not-dash-escaped</i> is
	287	recommended, because otherwise the database might get corrupted.
	288	However, this implies that after a database update,
	289	you <i>must</i> remove the old signature first, before
	290	re-signing the database. Without 'dash escaping',
	291	gpg will not properly handle the old signature.
	292	See the tip just above.
	293	</p>
	294
	295	<h3>Example</h3>
	296
	297	<pre style="background-color:#DDDDDD; color:#000000">
	298
	299	root# gpg -a --clearsign --not-dash-escaped /etc/samhainrc
	300
	301	You need a passphrase to unlock the secret key for
	302	user: "Rainer Wichmann"
	303	1024-bit DSA key, ID 0F571F6C, created 1999-10-31
	304
	305	root# mv /etc/samhainrc.asc /etc/samhainrc
	306	root# samhain -t init
	307	root# gpg -a --clearsign --not-dash-escaped /var/lib/samhain/samhain_file
	308
	309	You need a passphrase to unlock the secret key for
	310	user: "Rainer Wichmann"
	311	1024-bit DSA key, ID 0F571F6C, created 1999-10-31
	312
	313	root# mv /var/lib/samhain/samhain_file.asc /var/lib/samhain/samhain_file
	314	root# samhain -D -t check
	315
	316	</pre>
	317
	318	<h2>Make samhain verify the signature</h2>
	319	<p>
	320	This is the part where some people run into problems. The point is,
	321	when <i>gpg</i> is invoked by samhain, it must <i>find the public key</i>
	322	needed for verification. <i>Gpg</i> expects public keys in a file
	323	located at <b>~user/.gnupg/pubring.gpg</b> where <b>~user</b>
	324	is the home directory of the user as that <i>gpg</i> is running.
	325	</p><p>
	326	It is therefore <i>crucial</i> to include the public key corresponding
	327	to te secret key used for signing into the correct <b>pubring.gpg</b>
	328	file (this file can hold many public keys, e.g. of people sending you
	329	emails signed by them).
	330	</p><p>
[553]	331	So which is the correct file? Here we have to consider two separate
[1]	332	cases:
	333	</p>
	334	<ol>
	335	<li>The client (or standalone) samhain daemon runs with UID 0 (i.e. root),
	336	thus the public key must be in <b>~root/.gnupg/pubring.gpg</b>
	337	</li>
	338	<li>
	339	The server (yule) <i>always</i> drops root privileges (if started with), and
	340	runs as a <i>non-root user</i>. The username to use is compiled in,
	341	either with the <i>configure</i> option <tt>--enable-identity=USER</tt>,
	342	or by default as determined by <i>configure</i> (the first existing user
	343	out of the list <i>yule, daemon, nobody</i>). Thus, the public key
	344	must be in <b>~root/.gnupg/pubring.gpg</b> (for startup) <i>and</i>
	345	in <b>~non_root_user/.gnupg/pubring.gpg</b> (for reload with SIGHUP).
	346	</li>
	347	</ol>
	348	<p>
	349	To import a public key into the public
	350	keyring (pubring.gpg) of another user, you can do:
	351	</p><p>
	352	<tt>   gpg --export KEY-ID > filename</tt><br>
	353	<tt>   su another_user</tt><br>
	354	<tt>   gpg --import filename</tt>
	355	</p>
	356	<p>
	357	<b>Note:</b> samhain will invoke <i>gpg</i> with the options:
	358	</p><p>
	359	<tt>   --status-fd 1 --verify --homedir /homedir/.gnupg --no-tty -</tt>
	360	</p><p>
	361	and pipe the configuration/database file into <i>gpg</i>, similar to:
	362	</p><p>
	363	<tt>cat filename \| /usr/bin/gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -</tt>
	364	</p><p>
	365	(of course samhain does not invoke cat, or the shell; the example above
	366	just shows how to do the same from the shell command prompt).
	367	</p>
	368
	369	<h3>Example for signature check</h3>
	370	<p>
	371	If you want to check the signature the same way samhain does, it should look
	372	like (note the GOODSIG and VALIDSIG keywords in the output):
	373	</p>
	374	<pre style="background-color:#DDDDDD; color:#000000">
	375
	376	root# cat /etc/samhainrc \| gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -
	377	gpg: Signature made Sat Mar 15 16:08:21 2003 CET using DSA key ID 0F571F6C
	378	[GNUPG:] SIG_ID 9hQvRhgjWLqyFzVOHi2b0uDmBFo 2003-03-15 1047740901
	379	[GNUPG:] GOODSIG 1AAD26C80F571F6C Rainer Wichmann
	380	gpg: Good signature from "Rainer Wichmann"
	381	gpg: aka "Rainer Wichmann"
	382	[GNUPG:] VALIDSIG EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C 2003-03-15 1047740901
	383	[GNUPG:] TRUST_ULTIMATE
	384
	385	</pre>
	386
	387	<h2>Troubleshooting</h2>
	388	<p>
	389	First and foremost, run samhain (or yule) from the command line, in non-daemon
	390	mode, and with the command-line option <tt>-p debug</tt> for debug-level
	391	output. This will print
	392	descriptive information on setup errors and/or relevant output from
	393	the GnuPG subprocess.
	394	</p>
	395	<p>
	396	Output from the GnuPG subprocess is marked by <b>[GNUPG:]</b>, and
	397	may show the following errors:
	398	</p>
	399
	400	<ul>
	401	<li><b>ERRSIG</b> and/or <b>NO_PUBKEY</b> indicates that gpg did not find
	402	the public key to verify the signature. You should import that key
	403	into the keyrings of root and (for yule additionaly) the yule user.
	404	</li>
	405	<li><b>BADSIG</b> indicates that the public key was found by gpg, but
	406	the signature is invalid. Either the file has been modified after
	407	signing, or a previous signature has not been removed.
	408	</li>
	409	<li><b>NODATA</b> indicates that there is no signed data, i.e. the
	410	configuration or database file is not signed at all.
	411	</li>
	412	</ul>
	413	</div>
	414	</body>
	415	</html>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/docs/HOWTO-samhain+GnuPG.html@ 558

Download in other formats: