All security guides recommend you should have a recovery toolkit constituted of static linked important binaries. In this article I will show how to build this toolkit.
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Introduction
All security guides recommend you should have a security audit toolkit (or forensic toolkit or recovery toolkit). This toolkit is constituted by a set of static-linked binaries (grep,w,netstat,ls,nc,strace,ps ... etc). The problem it that these security guides tell you to build this toolkit but never show you how to do it (they just tell it can be really difficult...). In this article I will explain why we need this toolkit then I will show how to build it.
Why a recovery toolkit?
If an attacker had gain a superuser access into your system, he could have install a malware iike a trojan or a rootkit. Therefore you cannot trust anything on your system. The su or login binaries could have been replaced by his own tool to grab your passwords. Other trojan can directly attack shared library meaning that even newly compiled code may be dangerous.
The other use of this toolkit is to "repair after an accident". A single wrong command is enough to damage important binaries or shared libraries (for example a rm -r on the wrong folder...).
This toolkit must be mounted on a read-only file-system and could be used by rootkit hunting tools such as chkrootkit.
It is also important to notice this toolkit is constituted of statically linked binaries.
We cannot rely on the system shared libraries if the system is corrupted.
Build the toolkit.
Note : The total size of the binaries + sources is about 500 Mo. The binaries size alone is less then 50 Mo.
Prerequisite :
Create a folder where you will install your toolkit.
mkdir -p audit/src
mkdir -p audit/bin
You need to install the dpkg dev package.
apt-get install dpkg-dev
The core binaries :
The proc binaries :
The net-tools binaries :
The gawk binaries :
The grep binaries :
The lsof binary :
The strace binary :
The sed binarie :
The netcat binary :
The binutils binaries :
The findutils binaries :
Finally
We finished building our toolkit. Remember you should keep this toolkit (at least the bin folder) on a separate read-only file-system (like a CD).
You may want to verify that your binaries are really static. Use the ldd command for that.
ldd audit/bin/*
Should echo that all tools aren’t dynamic binaries.