Re: Thoughts on GuixSD and IDS like AIDE and Tripwire

[dian_cecht]

On Mon, Jan 02, 2017 at 11:28:55PM +0100, Ludovic Courtès wrote:
> Hi!
> 
> address@hidden skribis:
> 
> > P.S. On second thought (and after a cup of coffee), could the database file 
> > be
> > generated using the same format programs like md5sum, sha1sum, et al use so 
> > we'd
> > just have to run (for example) md5sum -C database?
> 
> That sounds like a good idea to complement ‘guix publish’ + ‘guix
> challenge’.
> 
> A simple way to dump the database is like this:
> 
> --8<---------------cut here---------------start------------->8---
> $ sudo sqlite3 /var/guix/db/db.sqlite
> SQLite version 3.14.1 2016-08-11 18:53:32
> Enter ".help" for usage hints.
> sqlite> select path,hash from validpaths;
> /gnu/store/98xcn26354r70nyamkgywqzjxvw3qikx-guile-2.0.9.tar.xz|sha256:a475e4bad3d39a94f01c590f239e80dbd84688e480ca74de3e335f6f36a0d975
> /gnu/store/hyh7kwkqlxc0x9s8cs5mjnih5v524486-make-impure-dirs.patch|sha256:d697a02be5fea425ac93eb650b1359e3e8053d84f70677c8c0a80291ed03585e
> /gnu/store/hv15hq91vm3ajv23lkq0kgd56d4kmd08-findutils-absolute-paths.patch|sha256:c4fc83e01a7f448b598905bcf6ca39b5ba0f1f0f131145b379f0de9c2fbe109b
> […]
> --8<---------------cut here---------------end--------------->8---
> 
> (Of course you have to trust the database to contain the right hashes in
> the first place.)
> 
> Ludo’.

That is part of the reason I also suggest an external utility, and ideally one
that is simple enough that people could (re)implement it in their language of
choice (so that what and where the script is is generally
unknown/unknowable/really hard to find, as well as much more difficult to
compromise via simple methods such as patching).

Heck, since your normal user can read the store, one should be able to
reasonably compare the currently stored database to something the user has
generated via

# Please note that I'm not 100% sure this is correct. I don't think you'd want
# to include .link files, but I'm unable to find a quick way in the minute or
# two I wrote this to avoid them. Plus I'd expect some things to be checksumed
# that don't really need it.
$ find /gnu/store/ -type f -print0 | xargs -0 sha256sum

or something similar, given that sha256sum isn't compromised. Once the two are
known to be in sync (ideally with some form of external verification, and by
external I mean booting and mounting the system under a Known Good liveUSB or
similar and checking the database against the system's sha256sum as well as the
liveUSB's Known Good version), then comparing to another person's checksum dump
(ideally someone you know properly checks their system via the aforementioned or
better method) to try and catch potential unwanted modification.

The obvious problem would be removing entries for programs known to not have a
deterministic build (which makes all of this entirely moot for said program),
and hope they aren't compromised and aren't Very Important to the system.