News, tips, partners, and perspectives for the Oracle Solaris operating system

Solaris Fingerprint Database - How it's done in Solaris 11

Many remember the Solaris Fingerprint Database. It was a great tool to verify the integrity of a solaris binary.  Unfortunately, it went away with the rest of sunsolve, and was not revived in the replacement, "My Oracle Support".  Here's the good news:  It's back for Solaris 11, and it's better than ever!

To use the old database, you had to get a MD5 fingerprint or digest of a binary, then check this fingerprint in the Fingerprint Database on the web.  While there was a tool available for mass verification, this process was still rather cumbersome.

In Solaris 11, all of this is integrated in the package manifests of IPS.  SHA1 and ELF hashes are stored in the manifest of each package for the binaries and scripts contained in it.  This allows for manual verification.  However, the packaging system also delivers a method to automatically verify the integrity of the installed software.  Here are some of the things you can do with these hashes:

  • What's the SHA1 fingerprint of a binary?
    digest -a sha1 /usr/bin/vim
  • What package is that binary delivered in?
    pkg search -f $(digest -a sha1 /usr/bin/vim)
    (You need the "-f" to find it even if a never version exists but isn't installed)
  • Do you have more details ?
    pkg info -r $(pkg search -f -H -o pkg.fmri $(digest -a sha1 /usr/bin/vim))

If all of this works out, you've verified that the binary (/usr/bin/vi in this case) is valid and part of the package  vim-core.

The checks are done using the publishers configured on the system.  You can check what they are using the command "pkg publisher".  A typical output of this command would be

solaris origin online https://pkg.oracle.com/solaris/support/

Of course, you can also check an individual file's SHA1 digest directly on the webserver.  Just point your browser to the URL of the publisher and enter the digest in the search form.  This is very similar to how the old Fingerprint Database worked.  However, IPS can do a lot more than that:

Using the command "pkg verify", you can actually have the packaging system verify each and every installed package against the repository it was installed from.  Depending on the type of file (binary, script, config file), different checks will be performed:

  • Binaries will be checked using their ELF hash
  • Scripts will be checked using their SHA1 file hash
  • Config files, naturally, can not be checked, since they are meant to be changed by the administrator.
  • File ownership and permissions are also checked.

This will report any deviations from what is defined in the package manifests, exposing, for example, any modified scripts or binaries.  You can do this against the whole installation, you can also do this to check an individual package.  Depending on the output, you can then decide what to do:

  • Leave everything as it is
  • Fix deviations manually, for example because you know what happened
  • Have the package system fix individual packages (or everything) automatically

This last point is the real "power feature" in this context:  Since IPS knows what things should be like, you can request that it bring things back to what they should be.  A great improvement compared to what you could do with BART and the Fingerprint Database.

With all of this, IPS can compare an existing installation with the data provided by the repository used.  The integrity of this repository needs to be provided separately.  For the "master" repository, Oracle does this for you.  The packages themselves are cryptographically signed, just like all the binaries.  If you work with your own, local repository, check the download with the provided SHA1/MD5 checksums before deploying.  You are then responsible for protecting it yourself.

To wrap things up, here's a little example for all of this:

root@benjaminchen:/usr/bin# ls -l vim

-r-xr-xr-x 1 root bin 2225532 Feb 23 14:31 vim
root@benjaminchen:/usr/bin# digest -a sha1 vim
root@benjaminchen:/usr/bin# pkg search -f f2495fa19fcc4b8a403e0bd4fef809d031296c68
INDEX                                    ACTION VALUE       PACKAGE
f2495fa19fcc4b8a403e0bd4fef809d031296c68 file   usr/bin/vim pkg:/editor/vim/vim-core@7.3.254-
root@benjaminchen:/usr/bin# pkg verify -v vim-core
PACKAGE                                    STATUS
pkg://solaris/editor/vim/vim-core OK
root@benjaminchen:/usr/bin# cp vim vim.org
root@benjaminchen:/usr/bin# cp ls vim
root@benjaminchen:/usr/bin# pkg verify -v vim-core
PACKAGE                                                                 STATUS
pkg://solaris/editor/vim/vim-core                                        ERROR
    file: usr/bin/vim
        Elfhash: 20acbb006d5331660dc026483533c29137318673 should be f301bd9d798c4bdd8edebb001fbf4317380383a9
root@benjaminchen:/usr/bin# pkg fix --accept vim-core
Verifying: pkg://solaris/editor/vim/vim-core                    ERROR         
    file: usr/bin/vim
        Elfhash: 20acbb006d5331660dc026483533c29137318673 should be f301bd9d798c4bdd8edebb001fbf4317380383a9
Created ZFS snapshot: 2012-02-29-09:27:49
Repairing: pkg://solaris/editor/vim/vim-core                                                                                              
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1         1/1      0.8/0.8
PHASE                                        ACTIONS
Update Phase                                     1/1
PHASE                                          ITEMS
Image State Update Phase                         2/2
 root@benjaminchen:/usr/bin# ls -l vim vim.org
-r-xr-xr-x 1 root bin 2225532 Feb 29 10:28 vim
-r-xr-xr-x 1 root root 2225532 Feb 29 10:27 vim.org
root@benjaminchen:/usr/bin# digest -a sha1 vim

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.