Automatic reinstall of system binaries?

**lugoteehalt** · 11-05-2009, 02:55 AM

The program tripwire suggest a reinstall in single user mode before you set up its database. So you can be sure there is nothing scary on the computer to start with.

I've tried doing this by a rather crude and direct method

Code:

for i in `cat /home/lugo/listOfInstalled.txt`; do apt-get install --reinstall --yes "$i"; done

and got into trouble. First off the /var partition filled up. Then it would not replace the apt-get bin file - was using apt-get.

Is there a sensible way to achieve this object? Thanks.

**retsaw** · 11-06-2009, 04:34 PM

If your computer isn't clean to start with, then you should do a proper reinstall, otherwise if it did have a rootkit, then it could fake the reinstallation of the files it uses if you are trying to reinstall them from the system in question.

I don't really understand why the person writing the tripwire manual thinks that reinstalling packages from single user mode is good enough. If you really want to be sure then backup your configuration files and anything else you want to keep, format your root partition and reinstall the whole system from scratch, then you can use your package list to reinstall all your programs, then restore you configuration files and you should be back to where you were before, but with a system that you can be fairly sure is clean.

However, I don't see why what you tried to do shouldn't work since you can delete or replace files that are in use without affecting the program using it (since it will be kept on disk until any programs using it have finished with it). I guess you could use dpkg to reinstall apt-get.

**lugoteehalt** · 11-07-2009, 01:09 AM

Thanks retsaw.

Originally Posted by retsaw

If your computer isn't clean to start with, then you should do a proper reinstall, otherwise if it did have a rootkit, then it could fake the reinstallation of the files it uses if you are trying to reinstall them from the system in question.

I don't really understand why the person writing the tripwire manual thinks that reinstalling packages from single user mode is good enough. If you really want to be sure then backup your configuration files and anything else you want to keep, format your root partition and reinstall the whole system from scratch, then you can use your package list to reinstall all your programs, then restore you configuration files and you should be back to where you were before, but with a system that you can be fairly sure is clean.

However, I don't see why what you tried to do shouldn't work since you can delete or replace files that are in use without affecting the program using it (since it will be kept on disk until any programs using it have finished with it). I guess you could use dpkg to reinstall apt-get.

I don't see why what you tried to do shouldn't work since you can delete or replace files that are in use without affecting the program using it (since it will be kept on disk until any programs using it have finished with it)

Perhaps it was because apt-get had no permissions for anybody, user, group, all. This had been done as a security measure and I had forgotten about it.

Sorry to be limp wristed but I always **** this sort of thing up: Is this alright? :-

1/ Use mc, preserving file attributes, to copy the whole /etc directory to my home partition. That way I'll get most of the configuration files.

2/ Format the relevant partitions, except /home.

3/ Reinstall the "base system" using Lenny 5.0 CD's.

4/ Setup "tripwire".

5/ Run the command in the original post.

Bloody hell - I only said "****".

**retsaw** · 11-07-2009, 07:42 AM

Originally Posted by lugoteehalt

1/ Use mc, preserving file attributes, to copy the whole /etc directory to my home partition. That way I'll get most of the configuration files.

That'll work, so long as you do it as root, otherwise it won't be able to set the correct ownership. I would use tar, but it won't make a difference. If you are running any servers on this box, they may save files under /var, depending on how they are configured, but if you don't, then it shouldn't be an issue.

2/ Format the relevant partitions, except /home.

Yep, fine. Backup anyway, just in case.

3/ Reinstall the "base system" using Lenny 5.0 CD's.

Yep. After this is where you should re-install all your packages, well, at least the ones you want installed. There are instructions here, you may want to get your package list again before you format your system and save it to your home partition.

4/ Setup "tripwire".

Yep, and since you should have already reinstalled everything else you wanted as I noted in the previous step, this should be the last one.

5/ Run the command in the original post.

Well, you shouldn't need to do this now.

Bloody hell - I only said "****".

This makes me wonder what word was censored. I would typically mentally fill in the f-word in this context, which I would expect to be censored, I can't think of any milder four-letter words that would fit with the context of what was said, can you give us a clue what it was?

Edit:Fixed formatting.

**lugoteehalt** · 11-09-2009, 05:04 AM

Thanks again.

This makes me wonder what word was censored.

It was merely c*o*c*k - surely we should celebrate our own bodies, and finally come to terms with the fact of our own physicality in the community.

**retsaw** · 11-09-2009, 05:54 AM

Heh, perhaps we should, though I don't think it is surprising they censored the word, though in my mind "bloody hell" is almost as bad in terms of swearing and that was left alone. On the other hand a "c o c k" is also a male chicken and why should we be prevented from calling animals by their proper names.

**Satanic Atheist** · 11-10-2009, 08:26 AM

Rather than reinstalling a system from scratch, my method of ensuring that a system is clean is to create statically compiled binaries of chkrootkit and store them on a separate drive (typically a USB stick) that is not left connected to the system (my bootable USB stick is ideal for this). I can then mount the drive read-only and run it to scan the system knowing that even if core binaries have been tampered with, it won't affect the scan.

Obviously, you need to generate the binaries from a known clean environment (Knoppix is ideal for this) but it's a fair compromise to reinstalling a system (especially when you have a set up as complicated as mine with no partitions and full on-disk encryption).

James

**retsaw** · 11-11-2009, 01:22 PM

So are you running directly from the system you are checking, or are you booting from you USB stick to check it? If you are running it from within a compromised system then the rootkit can potentially use a kernel module to hide itself. If you run it from a live cd or usb stick, chkrootkit can do its job without any chance of interference.

However I wouldn't say this was sufficient for declaring a system to be clean for installing tripwire since it could be infected with a rootkit chkrootkit doesn't know about. Tripwire makes a database of all the executables on a systems and monitors them for changes, so you really want to be sure the system is clean before initialising its database. I don't think doing a reinstall is that much effort, since it is fairly easy to reinstall all your old packages, so long as you made a copy of your installed packages list, then you can copy the configuration files and then you're practically back to the state you were in before, with the benefit of knowing you're binaries are clean.

Thread: Automatic reinstall of system binaries?

Thread Tools

Display

Automatic reinstall of system binaries?

Posting Permissions