[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to securely verify that package-installed files match originals?

Hi, there is already useful information from other debianers.
I just list tools and features below.

- debsum
- AIDE[1]
- ...

Features (of Linux kernel)
- IMA-EVM [1]
- fs-verity [3]
- ...

I think the debsum tool is a proper way for your use cases provided that you protect the integrity of checksum files
securely. You need to get the files and isolate them from packages, apt-repository, and the remote filesystem.

[1] https://aide.github.io/
[2] http://linux-ima.sourceforge.net/
[3] https://www.kernel.org/doc/html/latest/filesystems/fsverity.html

2021년 1월 14일 (목) 오후 7:57, Erik Poupaert <erik@sankuru.biz>님이 작성:
I understand that I can run the following command to verify the installation footpring of a package:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

If the attacker has managed to subvert <package>, he could also have managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:

dpkg -V dpkg

Therefore, I want to run the self-audit of the dpkg command from another system.

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from this second computer.

What command do I execute next on my second computer? Is there an option that allows me to do something similar to the following:

dpkg -V dpkg --remote-target /mnt/audit

Is there a way to audit the installation footprint of a package on one computer from a second computer?

Reply to: