Re: Script to System Check Integrity against Debian Package Repository
On 09/17/2013 09:45 PM, adrelanos wrote:
> Situation:
>
> * You have a Debian machine, which might be compromised by a backdoor
> due to a targeted attack. You don't know and want to make sure it's not.
> For example, a server or a client internet machine.
Why not just reinstall from a trusted source, then restore /etc, /home and /var from backups
and audit the changes introduced by that only?
>
> In reality, it seems like many files are auto-generated and not owned by
> any packages. Some of them even hold binary code, which gets executed
> during boot. Some examples:
> - /boot/grub/video_fb.mod
> - (dpkg -S /boot/grub/video_fb.mod reports not owned by any packages)
It is copied from /usr/lib/grub/i386-pc:
$ dpkg -L grub-pc-bin | grep video_fb
/usr/lib/grub/i386-pc/video_fb.mod
> - /lib/modules/3.10-2-686-pae/modules.symbols
> - /etc/ssl/certs/GeoTrust_Global_CA.pem
> - /etc/ld.so.cache
> - /etc/rc*.d/*
> - /usr/lib/python2.7/dist-packages/pygtk.pyc
> - and many more...
>
> It could be quite difficult to get a signed version of some of them or
> to deterministically freshly generate them?
Aren't they generated by the package's postinst script?
>
> And I have open questions, such as:
> - Which package is responsible for creating device files (/dev/...)? How
> to check if they are legit?
/dev should just be a tmpfs, so the kernel creates device files there (possibly triggered by udev).
$ mount | grep '/dev '
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=1013295,mode=755)
> - Is there a signed dump of the grub boot sector somewhere?
I think it is based on /usr/lib/grub/i386-pc/boot.img, but with some offsets adjusted.
Isn't it safer to just re-install grub from your trusted system?
Best regards,
--Edwin
Reply to: