Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Install and tweak the Checkmate tripwire System
There is a simple and effective way to protect yourself against trojans, rootkits etc. Such threats may be at a low level on our platform at the moment, but unless you have defences in place before one strikes, you may be unable to detect or remove it safely if it ever does happen. That defence is a tripwire -- a program that takes a "snapshot" of your system's critical parts and makes sure none of them have changed. A malicious program could (if it gained root privileges) replace your login window, Activity Monitor, Netinfo Manager and other progams so that clandestine users and programs could run on your Mac without you being able to see them. By "fingerprinting" key binaries ahead of time, and checking to see if they change, you will know if something is going on.

Brian Hill's excellent Checkmate is a Preferences panel that does just that. Unfortunately, he is no longer updating it, and it has some limitations ... so here's a quick tutorial on making it work. Please write to Brian Hill, thank him for his excellent work, and ask him to release the source code under the Gnu Public License!

First, download the latest version of Checkmate [143KB download]. The built-in interface of the prefs pane only allows you to add files which are visible, and that you can navigate to. Also, it will allow you to add Cocoa applications, but as they are bundles, it won't caculate the hash. Here's my way around that. First, download an updated plist from Thomas Hardly's Hardening your Macintosh website. Replace the exisiting Checkmate plist. If you know vi, or are comfortable editing plists, you can add more, but there is an easier way...

Here's how to add Cocoa binaries via the Acqua GUI. Navigate to the application you want to protect. Control-click on the program, and choose "Show package contents" from the pop-up menu. Control-click on the Some_name.app: Contents folder, and select "Copy path to clipboard." Go to System Preferences, open the Checkmate pane, click "Files," click "Add..," and then hit Command-Shift-G (this allows you to enter a path name). Now paste the data from your clipboard, which is the path to the folder containing the application.

You will now be able to browse the package contents from within Checkmate. Select any unix executables you wish to hash. For example, the full path to the Keychain access binary is: /Applications: Utilities: Keychain Access.app: Contents: MacOS: Keychain Access. To fingerprint files inside invisible directories (eg /usr/sbin/), navigate there via the Terminal, copy the path, and use the Command-Shift-G trick as above.

Of course, you need to backup those hashes on another secure machine, or an intruder could just trash them. At the very least, creat an encrypted disk image, then from within the Checkmate Prefpane, select "Export," and save the file to your encrypted disk image. The checksums should only change after a system update, so you won't have to do this often.

Any tips, corrections and additions gratefully received
    •    
  • Currently 1.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[15,801 views]  

Install and tweak the Checkmate tripwire | 6 comments | Create New Account
Click here to return to the 'Install and tweak the Checkmate tripwire' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Install and tweak the Checkmate tripwire
Authored by: pknull on Apr 11, '05 03:20:43PM
It might be noted, that, depending on the version of OS X you're running, not all files in the updated plist, will be found in your system. I'm curious as to what other system files people may have added to this, and if different files should be regularly checked depending on the OS version you are running... It's neat to read things on one site, and then a day or two later, read a similar hint on another. It's like watching waves of information wash over the community.

[ Reply to This | # ]
Install and tweak the Checkmate tripwire
Authored by: PurpleHaze on Apr 11, '05 05:16:11PM

identd is no longer installed in Panther, and is in the default plist - so if you leave it in, it will throw an error.
I have audit installed (part of Apple's Common Criteria Tools) so I checksum those binaries too, plus the binaries that make up Keychain Access and a few others.
Oh - it's me who's posting this tutorial around - I'm on a one-man mission to promote the use of tripwires, before the platform gets hit by its first serious malware. I really, really hope Brian Hill considers releasing Chekcmate under GPL.



[ Reply to This | # ]
Install and tweak the Checkmate tripwire
Authored by: GlowingApple on Apr 11, '05 06:01:07PM
What about Tripwire (www.tripwire.org)? It's a great app for Linux, and there's a Mac OS X package available at http://www.macguru.net/~frodo/Tripwire-osx.html.

---
Jayson --When Microsoft asks you, "Where do you want to go today?" tell them "Apple."

[ Reply to This | # ]

Install and tweak the Checkmate tripwire
Authored by: msk on Apr 12, '05 06:44:57AM

Using Tripwire is a little more work, but it protects everything including a primary and secondary user account. You can use tripwire to determine what files were changed and added by any software package, just run before and after installing. Why trust third party software when you can verify. I found Checkmate too light weight for my taste.



[ Reply to This | # ]
Install and tweak the Checkmate tripwire
Authored by: kissedsmiley on Apr 12, '05 01:54:20PM

hi purple!
I'd definitely like to have something like tripwire so thanks for starting this hint. I don't trust your reference to http://members.lycos.co.uk/hardapple/ however, because I (dumbo I suppose) found this on their site:

<li>security guides, presentations & tutorials: Angelo Laub's slides from his presentation "Mac OS X Insecurity" at the 21C3 congress.
Also his paper entitled Mac OS X Insecurity is available.</li>
The two links referred two are not what they should be! The 2nd says https://21c3.annulator.de/OSXInsecurity.pdf which is nearly the correct URL... but contains "s"; ie the https is not valid, got me to 100% cpu usage and caused me a bunch of time to check if my mac is ok. The correct paper fyi is at http: of the same or http://www.ccc.de/congress/2004/fahrplan/event/218.de.html .


On these travels, I discovered another tripwire-like thing, http://www.macos.utah.edu/Documentation/macosx/security/fcheck.html
FCheck, which has nice hints on what files normally change. The intro says;

<li>I wrote this document in 2002 for Mac OS X 10.1. I never posted it because I decided to use http://www.Radmind.org instead of FCheck. Well, I had this finished document that still was good (written for FCheck 2.07.59, which is still the current version as of May 2003), so I decided to throw it up here. I updated part of the exclusion list below for Mac OS X 10.2, but I haven't tested it.
What is FCheck?
FCheck notices changes on the hard disk and notifies you of unauthorized changes. FCheck does this by taking periodic "baseline" snapshots and comparing them. This is also called a tripwire. For more information, see the FCheck homepage.
</li>



[ Reply to This | # ]
Install and tweak the Checkmate tripwire
Authored by: kissedsmiley on Apr 12, '05 03:59:43PM

tripwire is on darwinports; http://darwinports.opendarwin.org/ports/?by=name&substr=tripwire&Search=Submit



[ Reply to This | # ]