1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
---|
2 | <html>
|
---|
3 | <head>
|
---|
4 | <title>HOWTO samhain+GnuPG</title>
|
---|
5 | <style type="text/css">
|
---|
6 | <!--
|
---|
7 |
|
---|
8 | html { background: #eee; color: #000; }
|
---|
9 |
|
---|
10 | body { background: #eee; color: #000; margin: 0; padding: 0;}
|
---|
11 |
|
---|
12 | div.body {
|
---|
13 | background: #fff; color: #000;
|
---|
14 | margin: 0 1em 0 1em; padding: 1em;
|
---|
15 | font-family: serif;
|
---|
16 | font-size: 1em; line-height: 1.2em;
|
---|
17 | border-width: 0 1px 0 1px;
|
---|
18 | border-style: solid;
|
---|
19 | border-color: #aaa;
|
---|
20 | }
|
---|
21 |
|
---|
22 | div.block {
|
---|
23 | background: #b6c5f2; color: #000;
|
---|
24 | margin: 1em; padding: 0 1em 0 1em;
|
---|
25 | border-width: 1px;
|
---|
26 | border-style: solid;
|
---|
27 | border-color: #2d4488;
|
---|
28 | }
|
---|
29 |
|
---|
30 | div.warnblock {
|
---|
31 | background: #b6c5f2; color: #000;
|
---|
32 | margin: 1em; padding: 0 1em 0 1em;
|
---|
33 | border-width: 1px;
|
---|
34 | border-style: solid;
|
---|
35 | border-color: #FF9900;
|
---|
36 | }
|
---|
37 |
|
---|
38 | table {
|
---|
39 | background: #F8F8F8; color: #000;
|
---|
40 | margin: 1em;
|
---|
41 | border-width: 0 0 0 1px;
|
---|
42 | border-style: solid;
|
---|
43 | border-color: #C0C0C0;
|
---|
44 | }
|
---|
45 |
|
---|
46 | td {
|
---|
47 | border-width: 0 1px 1px 0;
|
---|
48 | border-style: solid;
|
---|
49 | border-color: #C0C0C0;
|
---|
50 | }
|
---|
51 |
|
---|
52 | th {
|
---|
53 | background: #F8F8FF;
|
---|
54 | border-width: 1px 1px 2px 0;
|
---|
55 | border-style: solid;
|
---|
56 | border-color: #C0C0C0;
|
---|
57 | }
|
---|
58 |
|
---|
59 |
|
---|
60 | /* body text, headings, and rules */
|
---|
61 |
|
---|
62 | p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
|
---|
63 |
|
---|
64 | h1, h2, h3, h4, h5, h6 {
|
---|
65 | color: #206020; background: transparent;
|
---|
66 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
67 | font-weight: normal;
|
---|
68 | }
|
---|
69 |
|
---|
70 | h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
|
---|
71 | h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
|
---|
72 | h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
|
---|
73 | h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
|
---|
74 | h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
|
---|
75 | h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
|
---|
76 |
|
---|
77 | hr {
|
---|
78 | color: transparent; background: transparent;
|
---|
79 | height: 0px; margin: 0.6em 0;
|
---|
80 | border-width: 1px ;
|
---|
81 | border-style: solid;
|
---|
82 | border-color: #999;
|
---|
83 | }
|
---|
84 |
|
---|
85 | /* bulleted lists and definition lists */
|
---|
86 |
|
---|
87 | ul { margin: 0 1em 0.6em 2em; padding: 0; }
|
---|
88 | li { margin: 0.4em 0 0 0; }
|
---|
89 |
|
---|
90 | dl { margin: 0.6em 1em 0.6em 2em; }
|
---|
91 | dt { color: #285577; }
|
---|
92 |
|
---|
93 | tt { color: #602020; }
|
---|
94 |
|
---|
95 | /* links */
|
---|
96 |
|
---|
97 | a.link {
|
---|
98 | color: #33c; background: transparent;
|
---|
99 | text-decoration: none;
|
---|
100 | }
|
---|
101 |
|
---|
102 | a:hover {
|
---|
103 | color: #000; background: transparent;
|
---|
104 | }
|
---|
105 |
|
---|
106 | body > a {
|
---|
107 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
108 | font-size: 0.81em;
|
---|
109 | }
|
---|
110 |
|
---|
111 | h1, h2, h3, h4, h5, h6 {
|
---|
112 | color: #2d5588; background: transparent;
|
---|
113 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
114 | font-weight: normal;
|
---|
115 | }
|
---|
116 |
|
---|
117 | -->
|
---|
118 | </style></head>
|
---|
119 |
|
---|
120 | <body>
|
---|
121 | <div class="body">
|
---|
122 | <p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
|
---|
123 | style="text-decoration: none;"
|
---|
124 | href="http://www.la-samhna.de/samhain/">samhain file integrity
|
---|
125 | scanner</a> | <a style="text-decoration: none;"
|
---|
126 | href="http://www.la-samhna.de/samhain/s_documentation.html">online
|
---|
127 | documentation</a></p>
|
---|
128 | <br><center>
|
---|
129 | <h1>Using samhain with GnuPG</h1>
|
---|
130 | </center>
|
---|
131 | <br>
|
---|
132 | <hr>
|
---|
133 | <p>
|
---|
134 | This document aims to explain how to use samhain with <b>signed configuration
|
---|
135 | and database files</b> which are checked by invoking GnuPG.
|
---|
136 | </p>
|
---|
137 | <h2>Introduction</h2>
|
---|
138 | <p>
|
---|
139 | Samhain can be compiled to recognize PGP signatures on configuration and
|
---|
140 | database files and to invoke GnuPG in order to check such signatures.
|
---|
141 | (<b>Note:</b> while the application usually is referred to as <i>GnuPG</i>,
|
---|
142 | the executable itself is called <i>gpg</i>).
|
---|
143 | </p>
|
---|
144 | <p>
|
---|
145 | If samhain is compiled with this option, then
|
---|
146 | </p>
|
---|
147 |
|
---|
148 | <ol>
|
---|
149 | <li>
|
---|
150 | both the <i>configuration file</i>
|
---|
151 | and the <i>file signature database</i> must be signed, and
|
---|
152 | </li>
|
---|
153 | <li>
|
---|
154 | for both files the signatures must verify correctly,
|
---|
155 | </li>
|
---|
156 | <li>
|
---|
157 | otherwise samhain will abort.
|
---|
158 | </li>
|
---|
159 | </ol>
|
---|
160 |
|
---|
161 |
|
---|
162 | <h2>Prerequisites</h2>
|
---|
163 | <ul>
|
---|
164 | <li>
|
---|
165 | <p>
|
---|
166 | Obviously you need <i>gpg</i> (GnuPG), and you must
|
---|
167 | have created a key pair with:
|
---|
168 | </p><p>
|
---|
169 | <tt> gpg --gen-key</tt>
|
---|
170 | </p><p>
|
---|
171 | (it does not really matter which type of key, the defaults are ok).
|
---|
172 | </p><p>
|
---|
173 | GnuPG uses a public-key algorithm: the key pair consists of
|
---|
174 | </p>
|
---|
175 | <ul>
|
---|
176 | <li>
|
---|
177 | a <i>secret key</i> that is
|
---|
178 | used for signing and stored in <b>~user/.gnupg/secring.gpg</b>, and
|
---|
179 | </li><li>
|
---|
180 | a <i>public key</i> used for verifying the signature, and stored in
|
---|
181 | <b>~user/.gnupg/pubring.gpg</b>.
|
---|
182 | </li>
|
---|
183 | </ul>
|
---|
184 | <p>
|
---|
185 | The secret key obviously should be
|
---|
186 | kept secret, while the public key can be published.
|
---|
187 | </p>
|
---|
188 | </li>
|
---|
189 | <li>
|
---|
190 | <p>
|
---|
191 | You need to compile samhain with support for GnuPG:
|
---|
192 | </p><p>
|
---|
193 | <tt> ./configure --with-gpg=/path/to/gpg [more options]</tt>
|
---|
194 | </p><p>
|
---|
195 | </li>
|
---|
196 | </ul>
|
---|
197 |
|
---|
198 | <p>
|
---|
199 | <b>Note 1:</b> If compiled with support for GnuPG,
|
---|
200 | the TIGER192 checksum of the gpg
|
---|
201 | executable will be compiled into samhain, and the gpg executable will
|
---|
202 | be checksummed (to verify its integrity) before invoking it. If you
|
---|
203 | don't like this, you should add the <i>configure</i> option:
|
---|
204 | </p><p>
|
---|
205 | <tt> --with-checksum=no</tt>
|
---|
206 | </p>
|
---|
207 | <div class="warnblock">
|
---|
208 | <p>
|
---|
209 | Compiling in the GnuPG checksum will tie the samhain executable to
|
---|
210 | the gpg executable. If you upgrade GnuPG, you will need to re-compile
|
---|
211 | samhain. If you don't like this, use <tt>'--with-checksum=no'</tt>.
|
---|
212 | </p>
|
---|
213 | </div>
|
---|
214 | <p>
|
---|
215 | <b>Note 2:</b> The mere fact that the signature
|
---|
216 | is correct does not prove that it has been signed by <i>you</i> with
|
---|
217 | <i>your</i> key - it just proves that it has been signed by <i>somebody</i>.
|
---|
218 | Samhain can optionally check the <i>fingerprint</i> of the key that has been
|
---|
219 | used to sign the files, to verify that <i>your</i> key has been used
|
---|
220 | to sign the file(s). To enable this, use the <i>configure</i> option
|
---|
221 | </p><p>
|
---|
222 | <tt> --with-fingerprint=FINGERPRINT</tt>
|
---|
223 | </p><p>
|
---|
224 | where FINGERPRINT is the hexadecimal fingerprint of the key as listed
|
---|
225 | with
|
---|
226 | </p><p>
|
---|
227 | <tt> gpg --fingerprint</tt>
|
---|
228 | </p>
|
---|
229 |
|
---|
230 | <h3>Example</h3>
|
---|
231 |
|
---|
232 | <pre style="background-color:#DDDDDD; color:#000000">
|
---|
233 |
|
---|
234 | rainer$ gpg --fingerprint rainer
|
---|
235 | pub 1024D/0F571F6C 1999-10-31 Rainer Wichmann
|
---|
236 | Key fingerprint = EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
|
---|
237 | uid Rainer Wichmann
|
---|
238 | sub 1024g/9DACAC30 1999-10-31
|
---|
239 |
|
---|
240 | rainer$ which gpg
|
---|
241 | /usr/bin/gpg
|
---|
242 |
|
---|
243 | rainer$ ./configure --with-gpg=/usr/bin/gpg --with-fingerprint=EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C
|
---|
244 |
|
---|
245 | </pre>
|
---|
246 |
|
---|
247 | <h2>Signing the files</h2>
|
---|
248 | <p>
|
---|
249 | The <i>configuration file</i> and the
|
---|
250 | <i>file signature database</i>
|
---|
251 | (created by running <tt>samhain -t init</tt>) must be signed manually
|
---|
252 | using the command:
|
---|
253 | </p><p>
|
---|
254 | <tt> gpg -a --clearsign --not-dash-escaped /etc/samhainrc</tt><br/>
|
---|
255 | <tt> mv /etc/samhainrc.asc /etc/samhainrc</tt>
|
---|
256 | </p><p>
|
---|
257 | <i>Gpg</i> will create a <i>signed copy</i> of the file,
|
---|
258 | named <i>file.asc</i>.
|
---|
259 | You need to <b>rename</b> (<tt>cp/mv</tt>) this signed copy
|
---|
260 | to the original filename.
|
---|
261 | After signing the configuration file, you can initialize the database
|
---|
262 | and sign it likewise.
|
---|
263 | </p>
|
---|
264 | <p>
|
---|
265 | <b>Note 1:</b> The installation script will ask you to
|
---|
266 | sign the <i>configuration file</i> upon installation.
|
---|
267 | </p><p>
|
---|
268 | <b>Note 2:</b> The <i>gpg</i> option <tt>--not-dash-escaped</tt>
|
---|
269 | does not harm if used with the
|
---|
270 | <i>configuration file</i>, but is only required for the
|
---|
271 | <i>file signature database</i>.
|
---|
272 | </p>
|
---|
273 |
|
---|
274 | <h3>TIP</h3>
|
---|
275 | <p>
|
---|
276 | In the subdirectory <tt>scripts/</tt> of the source directory you will find
|
---|
277 | a Perl script <b>samhainadmin.pl</b> to facilitate some
|
---|
278 | tasks related to the administration of signed configuration and
|
---|
279 | database files (e.g. examine/create/remove signatures).
|
---|
280 | Use with <i>--help</i> to get usage
|
---|
281 | information.
|
---|
282 | </p>
|
---|
283 |
|
---|
284 | <h3>CAVEAT</h3>
|
---|
285 | <p>
|
---|
286 | When signing, the option <i>--not-dash-escaped</i> is
|
---|
287 | recommended, because otherwise the database might get corrupted.
|
---|
288 | However, this implies that after a database update,
|
---|
289 | you <i>must</i> remove the old signature first, before
|
---|
290 | re-signing the database. Without 'dash escaping',
|
---|
291 | gpg will not properly handle the old signature.
|
---|
292 | See the tip just above.
|
---|
293 | </p>
|
---|
294 |
|
---|
295 | <h3>Example</h3>
|
---|
296 |
|
---|
297 | <pre style="background-color:#DDDDDD; color:#000000">
|
---|
298 |
|
---|
299 | root# gpg -a --clearsign --not-dash-escaped /etc/samhainrc
|
---|
300 |
|
---|
301 | You need a passphrase to unlock the secret key for
|
---|
302 | user: "Rainer Wichmann"
|
---|
303 | 1024-bit DSA key, ID 0F571F6C, created 1999-10-31
|
---|
304 |
|
---|
305 | root# mv /etc/samhainrc.asc /etc/samhainrc
|
---|
306 | root# samhain -t init
|
---|
307 | root# gpg -a --clearsign --not-dash-escaped /var/lib/samhain/samhain_file
|
---|
308 |
|
---|
309 | You need a passphrase to unlock the secret key for
|
---|
310 | user: "Rainer Wichmann"
|
---|
311 | 1024-bit DSA key, ID 0F571F6C, created 1999-10-31
|
---|
312 |
|
---|
313 | root# mv /var/lib/samhain/samhain_file.asc /var/lib/samhain/samhain_file
|
---|
314 | root# samhain -D -t check
|
---|
315 |
|
---|
316 | </pre>
|
---|
317 |
|
---|
318 | <h2>Make samhain verify the signature</h2>
|
---|
319 | <p>
|
---|
320 | This is the part where some people run into problems. The point is,
|
---|
321 | when <i>gpg</i> is invoked by samhain, it must <i>find the public key</i>
|
---|
322 | needed for verification. <i>Gpg</i> expects public keys in a file
|
---|
323 | located at <b>~user/.gnupg/pubring.gpg</b> where <b>~user</b>
|
---|
324 | is the home directory of the user as that <i>gpg</i> is running.
|
---|
325 | </p><p>
|
---|
326 | It is therefore <i>crucial</i> to include the public key corresponding
|
---|
327 | to te secret key used for signing into the correct <b>pubring.gpg</b>
|
---|
328 | file (this file can hold many public keys, e.g. of people sending you
|
---|
329 | emails signed by them).
|
---|
330 | </p><p>
|
---|
331 | So which is the correct file? Here we have to consider two separate
|
---|
332 | cases:
|
---|
333 | </p>
|
---|
334 | <ol>
|
---|
335 | <li>The client (or standalone) samhain daemon runs with UID 0 (i.e. root),
|
---|
336 | thus the public key must be in <b>~root/.gnupg/pubring.gpg</b>
|
---|
337 | </li>
|
---|
338 | <li>
|
---|
339 | The server (yule) <i>always</i> drops root privileges (if started with), and
|
---|
340 | runs as a <i>non-root user</i>. The username to use is compiled in,
|
---|
341 | either with the <i>configure</i> option <tt>--enable-identity=USER</tt>,
|
---|
342 | or by default as determined by <i>configure</i> (the first existing user
|
---|
343 | out of the list <i>yule, daemon, nobody</i>). Thus, the public key
|
---|
344 | must be in <b>~root/.gnupg/pubring.gpg</b> (for startup) <i>and</i>
|
---|
345 | in <b>~non_root_user/.gnupg/pubring.gpg</b> (for reload with SIGHUP).
|
---|
346 | </li>
|
---|
347 | </ol>
|
---|
348 | <p>
|
---|
349 | To import a public key into the public
|
---|
350 | keyring (pubring.gpg) of another user, you can do:
|
---|
351 | </p><p>
|
---|
352 | <tt> gpg --export KEY-ID > filename</tt><br>
|
---|
353 | <tt> su another_user</tt><br>
|
---|
354 | <tt> gpg --import filename</tt>
|
---|
355 | </p>
|
---|
356 | <p>
|
---|
357 | <b>Note:</b> samhain will invoke <i>gpg</i> with the options:
|
---|
358 | </p><p>
|
---|
359 | <tt> --status-fd 1 --verify --homedir /homedir/.gnupg --no-tty -</tt>
|
---|
360 | </p><p>
|
---|
361 | and pipe the configuration/database file into <i>gpg</i>, similar to:
|
---|
362 | </p><p>
|
---|
363 | <tt>cat filename | /usr/bin/gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -</tt>
|
---|
364 | </p><p>
|
---|
365 | (of course samhain does not invoke cat, or the shell; the example above
|
---|
366 | just shows how to do the same from the shell command prompt).
|
---|
367 | </p>
|
---|
368 |
|
---|
369 | <h3>Example for signature check</h3>
|
---|
370 | <p>
|
---|
371 | If you want to check the signature the same way samhain does, it should look
|
---|
372 | like (note the GOODSIG and VALIDSIG keywords in the output):
|
---|
373 | </p>
|
---|
374 | <pre style="background-color:#DDDDDD; color:#000000">
|
---|
375 |
|
---|
376 | root# cat /etc/samhainrc | gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -
|
---|
377 | gpg: Signature made Sat Mar 15 16:08:21 2003 CET using DSA key ID 0F571F6C
|
---|
378 | [GNUPG:] SIG_ID 9hQvRhgjWLqyFzVOHi2b0uDmBFo 2003-03-15 1047740901
|
---|
379 | [GNUPG:] GOODSIG 1AAD26C80F571F6C Rainer Wichmann
|
---|
380 | gpg: Good signature from "Rainer Wichmann"
|
---|
381 | gpg: aka "Rainer Wichmann"
|
---|
382 | [GNUPG:] VALIDSIG EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C 2003-03-15 1047740901
|
---|
383 | [GNUPG:] TRUST_ULTIMATE
|
---|
384 |
|
---|
385 | </pre>
|
---|
386 |
|
---|
387 | <h2>Troubleshooting</h2>
|
---|
388 | <p>
|
---|
389 | First and foremost, run samhain (or yule) from the command line, in non-daemon
|
---|
390 | mode, and with the command-line option <tt>-p debug</tt> for debug-level
|
---|
391 | output. This will print
|
---|
392 | descriptive information on setup errors and/or relevant output from
|
---|
393 | the GnuPG subprocess.
|
---|
394 | </p>
|
---|
395 | <p>
|
---|
396 | Output from the GnuPG subprocess is marked by <b>[GNUPG:]</b>, and
|
---|
397 | may show the following errors:
|
---|
398 | </p>
|
---|
399 |
|
---|
400 | <ul>
|
---|
401 | <li><b>ERRSIG</b> and/or <b>NO_PUBKEY</b> indicates that gpg did not find
|
---|
402 | the public key to verify the signature. You should import that key
|
---|
403 | into the keyrings of root and (for yule additionaly) the yule user.
|
---|
404 | </li>
|
---|
405 | <li><b>BADSIG</b> indicates that the public key was found by gpg, but
|
---|
406 | the signature is invalid. Either the file has been modified after
|
---|
407 | signing, or a previous signature has not been removed.
|
---|
408 | </li>
|
---|
409 | <li><b>NODATA</b> indicates that there is no signed data, i.e. the
|
---|
410 | configuration or database file is not signed at all.
|
---|
411 | </li>
|
---|
412 | </ul>
|
---|
413 | </div>
|
---|
414 | </body>
|
---|
415 | </html>
|
---|