[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to securely verify that package-installed files match originals?

On Thu, 14 Jan 2021 at 21:57, Erik Poupaert <erik@sankuru.biz> wrote:
> Is there a way to audit the installation footprint of a package on one computer from a second computer?

Assuming they're the same versions, something along the lines of;
$ awk '{print $1" /mnt/audit/"$2}' /var/lib/dpkg/info/dpkg.md5sums |md5sum -c -

$ apt install --reinstall --download-only dpkg=$VERSION
$ dpkg-deb -e /var/cache/apt/archives/dpkg_$VERSION_$ARCH.deb /tmp/dpkg
$ awk '{print $1" /mnt/audit/"$2}' /tmp/dpkg/md5sums |md5sum -c -

I suppose once you've verified that, you could theoretically* run;
$ chroot /mnt/audit dpkg -V

But that's assuming checksums in the dpkg database haven't been modified,
so you'll probably want to download every package;
$ cat /tmp/apt.conf <EOF
Dir "/mnt/"
  State::status "/mnt/audit/var/lib/dpkg/status";
  Cache "/tmp/archives";
$ grep-dctrl -FStatus installed -n -s Package \
  /mnt/audit/var/lib/dpkg/status > /tmp/installed
$ mkdir -p /tmp/archives/partial
$ APT_CONFIG=/tmp/apt.conf apt-get install $(cat /tmp/installed)

And finally audit with debsums
$ debsums --all --changed --generate=all --root=/mnt/audit \
  --deb-path=/tmp/archives $(cat /tmp/installed)

* Haven't tested either of these

Reply to: