4.19. 生成系统快照

Before putting the system into production system you could take a snapshot of the whole system. This snapshot could be used in the event of a compromise (see 第 11 章 攻陷之后(事件响应)). You should remake this upgrade whenever the system is upgraded, especially if you upgrade to a new Debian release.

For this you can use a writable removable-media that can be set up read-only, this could be a floppy disk (read protected after use), a CD on a CD-ROM unit (you could use a rewritable CD-ROM so you could even keep backups of md5sums in different dates), or a USB disk or MMC card (if your system can access those and they can be write protected).

下边的脚本将创建这样的快照:

  1. #!/bin/bash
  2. /bin/mount /dev/fd0 /mnt/floppy
  3. trap "/bin/umount /dev/fd0" 0 1 2 3 9 13 15
  4. if [ ! -f /usr/bin/md5sum ] ; then
  5. echo "Cannot find md5sum. Aborting."
  6. exit 1
  7. fi
  8. /bin/cp /usr/bin/md5sum /mnt/floppy
  9. echo "Calculating md5 database"
  10. >/mnt/floppy/md5checksums.txt
  11. for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/
  12. do
  13. find $dir -type f | xargs /usr/bin/md5sum >>/mnt/floppy/md5checksums-lib.txt
  14. done
  15. echo "post installation md5 database calculated"
  16. if [ ! -f /usr/bin/sha1sum ] ; then
  17. echo "Cannot find sha1sum"
  18. echo "WARNING: Only md5 database will be stored"
  19. else
  20. /bin/cp /usr/bin/sha1sum /mnt/floppy
  21. echo "Calculating SHA-1 database"
  22. >/mnt/floppy/sha1checksums.txt
  23. for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/
  24. do
  25. find $dir -type f | xargs /usr/bin/sha1sum >>/mnt/floppy/sha1checksums-lib.txt
  26. done
  27. echo "post installation sha1 database calculated"
  28. fi
  29. exit 0

Note that the md5sum binary (and sha1sum, if available) is placed on the floppy drive so it can be used later on to check the binaries of the system (just in case it gets trojaned). However, if you want to make sure that you are running a legitimate binary, you might want to either compile a static copy of the md5sum binary and use that one (to prevent a trojaned libc library from interfering with the binary) or to use the snapshot of md5sums only from a clean environment such as a rescue CD-ROM or a Live-CD (to prevent a trojaned kernel from interfering). I cannot stress this enough: if you are on a compromised system you cannot trust its output, see 第 11 章 攻陷之后(事件响应).

The snapshot does not include the files under /var/lib/dpkg/info which includes the MD5 hashes of installed packages (in files ending with .md5sums). You could copy this information along too, however you should notice:

  • the md5sums files include the md5sum of all files provided by the Debian packages, not just system binaries. As a consequence, that database is bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical system and around 2.5 Gb of software installed) and will not fit in small removable media (like a single floppy disk, but would probably fit in a removable USB memory).

  • not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using debsums after you’ve finished the system installation:

    1. # debsums --generate=missing,keep

一旦生成了快照完, 您应当确保其被存储于只读介质上. 您也可以存储其备份, 将其置于磁盘上,用于每晚的 cron 检查比较.

If you do not want to setup a manual check you can always use any of the integrity systems available that will do this and more, for more information please read 第 10.2 节 “周期性入侵检测”.