Re: Script to System Check Integrity against Debian Package Repository
Török Edwin:
> On 09/17/2013 09:45 PM, adrelanos wrote:
>> Situation:
>>
>> * You have a Debian machine, which might be compromised by a backdoor
>> due to a targeted attack. You don't know and want to make sure it's not.
>> For example, a server or a client internet machine.
>
> Why not just reinstall from a trusted source, then restore /etc, /home and /var from backups
> and audit the changes introduced by that only?
>
>>
>> In reality, it seems like many files are auto-generated and not owned by
>> any packages. Some of them even hold binary code, which gets executed
>> during boot. Some examples:
>> - /boot/grub/video_fb.mod
>> - (dpkg -S /boot/grub/video_fb.mod reports not owned by any packages)
>
> It is copied from /usr/lib/grub/i386-pc:
> $ dpkg -L grub-pc-bin | grep video_fb
> /usr/lib/grub/i386-pc/video_fb.mod
Thanks for the technical information. That will help to audit those.
>> - /lib/modules/3.10-2-686-pae/modules.symbols
>> - /etc/ssl/certs/GeoTrust_Global_CA.pem
>> - /etc/ld.so.cache
>> - /etc/rc*.d/*
>> - /usr/lib/python2.7/dist-packages/pygtk.pyc
>> - and many more...
>>
>> It could be quite difficult to get a signed version of some of them or
>> to deterministically freshly generate them?
>
> Aren't they generated by the package's postinst script?
Probably yes, but it the postinst script calls something like
update-mime-database, I am not sure how to compare it's outputs. I must
check first if it's outputs are deterministic (when using the same
versions, of course). Maybe I have to run such commands on the trusted
system to generate those files and then compare with the untrusted
system. Sounds like quite some package specific work.
Reply to: