Install and tweak the Checkmate tripwire

Apr 11, '05 10:21:00AM

Contributed by: PurpleHaze

There is a simple and effective way to protect yourself against trojans, rootkits etc. Such threats may be at a low level on our platform at the moment, but unless you have defences in place before one strikes, you may be unable to detect or remove it safely if it ever does happen. That defence is a tripwire -- a program that takes a "snapshot" of your system's critical parts and makes sure none of them have changed. A malicious program could (if it gained root privileges) replace your login window, Activity Monitor, Netinfo Manager and other progams so that clandestine users and programs could run on your Mac without you being able to see them. By "fingerprinting" key binaries ahead of time, and checking to see if they change, you will know if something is going on.

Brian Hill's excellent Checkmate is a Preferences panel that does just that. Unfortunately, he is no longer updating it, and it has some limitations ... so here's a quick tutorial on making it work. Please write to Brian Hill, thank him for his excellent work, and ask him to release the source code under the Gnu Public License!

First, download the latest version of Checkmate [143KB download]. The built-in interface of the prefs pane only allows you to add files which are visible, and that you can navigate to. Also, it will allow you to add Cocoa applications, but as they are bundles, it won't caculate the hash. Here's my way around that. First, download an updated plist from Thomas Hardly's Hardening your Macintosh website. Replace the exisiting Checkmate plist. If you know vi, or are comfortable editing plists, you can add more, but there is an easier way...

Here's how to add Cocoa binaries via the Acqua GUI. Navigate to the application you want to protect. Control-click on the program, and choose "Show package contents" from the pop-up menu. Control-click on the Some_name.app: Contents folder, and select "Copy path to clipboard." Go to System Preferences, open the Checkmate pane, click "Files," click "Add..," and then hit Command-Shift-G (this allows you to enter a path name). Now paste the data from your clipboard, which is the path to the folder containing the application.

You will now be able to browse the package contents from within Checkmate. Select any unix executables you wish to hash. For example, the full path to the Keychain access binary is: /Applications: Utilities: Keychain Access.app: Contents: MacOS: Keychain Access. To fingerprint files inside invisible directories (eg /usr/sbin/), navigate there via the Terminal, copy the path, and use the Command-Shift-G trick as above.

Of course, you need to backup those hashes on another secure machine, or an intruder could just trash them. At the very least, creat an encrypted disk image, then from within the Checkmate Prefpane, select "Export," and save the file to your encrypted disk image. The checksums should only change after a system update, so you won't have to do this often.

Any tips, corrections and additions gratefully received

Comments (6)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050408175859956