Closed radujipa closed 6 years ago
By installing this on the system we can easily extend it in the future and also run it at OS image build time.
If we ever consider this to be user facing, it would be nice to implement this functionality directly in C++ using https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/src/verify.c#n96 as the library.
radu@kano ~ $ ./system-integrity -------------------------------- Debian Packages Integrity Report -------------------------------- Package apt version 1.4.8 File: /etc/apt/apt.conf.d/01autoremove failed_md5sum: True Package base-files version 9.9+rpi1+deb9u4 File: /etc/issue failed_md5sum: True Package bash version 4.4-5 File: /etc/bash.bashrc failed_md5sum: True File: /etc/skel/.bashrc failed_md5sum: True Package chromium-browser version 60.0.3112.89-0ubuntu0.14.04.1.1010+1 File: /etc/default/chromium-browser failed_md5sum: True Package inetutils-syslogd version 2:1.9.4-2 File: /etc/logrotate.d/inetutils-syslogd failed_md5sum: True File: /etc/syslog.conf failed_md5sum: True Package kano-feedback version 4.0.0-0.20180622 File: /etc/sudoers.d/kano-feedback_conf failed_md5sum: True Package kano-greeter version 4.0.0-0.20180604build3 File: /var/lib/lightdm/.kdeskrc failed_md5sum: True Package kano-init version 4.0.0-0.20180619build1 File: /usr/share/kano-init/systemd_ttys/kanoautologin@.service failed_md5sum: True Package kano-peripherals version 4.0.0-0.20180717build1 File: /etc/sudoers.d/kano-peripherals_conf failed_md5sum: True Package kano-profile version 4.0.0-1.20180702 File: /usr/share/applications/defaults.list failed_md5sum: True Package kano-settings version 4.0.6-0.20180706build2 File: /etc/polkit-1/localauthority/50-local.d/10-udisks.pkla failed_md5sum: True File: /usr/share/kano-settings/media/Parental/parental-hosts-blacklist.gz failed_md5sum: True Package kano-toolset version 4.0.0-0.20180706build2 File: /etc/network/interfaces failed_md5sum: True Package kano-video version 4.0.0-0.20180628 File: /usr/share/applications/auto_video-cli.desktop failed_md5sum: True Package lightdm version 1.18.3-1 File: /etc/lightdm/lightdm.conf failed_md5sum: True Package login version 1:4.4-4.1 File: /etc/pam.d/login failed_md5sum: True Package make-light version 4.0.0-0.20180628 File: /etc/sudoers.d/make-light-powerup_conf failed_md5sum: True File: /etc/sudoers.d/make-light_conf failed_md5sum: True Package make-music version 4.0.0-0.20180613 File: /etc/sudoers.d/make_music_conf failed_md5sum: True Package openbox version 3.6.1-4+rpi6 File: /etc/xdg/openbox/rc.xml failed_md5sum: True Package openbox-lxde-session version 0.99.2-3 File: /etc/xdg/lxsession/LXDE/autostart failed_md5sum: True File: /etc/xdg/openbox/LXDE/rc.xml failed_md5sum: True Package passwd version 1:4.4-4.1 File: /etc/default/useradd failed_md5sum: True Package preload version 0.6.4-2 File: /etc/preload.conf failed_md5sum: True Package procps version 2:3.3.12-3+deb9u1 File: /etc/sysctl.conf failed_md5sum: True Package raspberrypi-sys-mods version 20180328+1 File: /etc/sudoers.d/010_pi-nopasswd failed_md5sum: True Package rpi-chromium-mods version 20180509 Status: rc is_stable: False Package sudo version 1.8.19p1-2.1 File: /etc/sudoers failed_md5sum: True File: /etc/sudoers.d/README failed_md5sum: True Package systemd version 232-25+deb9u2 File: /etc/systemd/system.conf failed_md5sum: True Package wpasupplicant version 2:2.6-15 File: /sbin/wpa_cli failed_md5sum: True File: /sbin/wpa_supplicant failed_md5sum: True ----------------------------------- Outstanding issues data: { "apt": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/apt/apt.conf.d/01autoremove", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "apt", "status": "ii", "type": "debianpackage", "version": "1.4.8" }, "base-files": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/issue", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "base-files", "status": "ii", "type": "debianpackage", "version": "9.9+rpi1+deb9u4" }, "bash": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/bash.bashrc", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": true, "path": "/etc/skel/.bashrc", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "bash", "status": "ii", "type": "debianpackage", "version": "4.4-5" }, "chromium-browser": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/default/chromium-browser", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "chromium-browser", "status": "ii", "type": "debianpackage", "version": "60.0.3112.89-0ubuntu0.14.04.1.1010+1" }, "inetutils-syslogd": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/logrotate.d/inetutils-syslogd", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": true, "path": "/etc/syslog.conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "inetutils-syslogd", "status": "ii", "type": "debianpackage", "version": "2:1.9.4-2" }, "kano-feedback": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/kano-feedback_conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-feedback", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180622" }, "kano-greeter": { "issues": [ { "failed_md5sum": true, "is_conf": false, "path": "/var/lib/lightdm/.kdeskrc", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-greeter", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180604build3" }, "kano-init": { "issues": [ { "failed_md5sum": true, "is_conf": false, "path": "/usr/share/kano-init/systemd_ttys/kanoautologin@.service", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-init", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180619build1" }, "kano-peripherals": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/kano-peripherals_conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-peripherals", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180717build1" }, "kano-profile": { "issues": [ { "failed_md5sum": true, "is_conf": false, "path": "/usr/share/applications/defaults.list", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-profile", "status": "ii", "type": "debianpackage", "version": "4.0.0-1.20180702" }, "kano-settings": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/polkit-1/localauthority/50-local.d/10-udisks.pkla", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": false, "path": "/usr/share/kano-settings/media/Parental/parental-hosts-blacklist.gz", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-settings", "status": "ii", "type": "debianpackage", "version": "4.0.6-0.20180706build2" }, "kano-toolset": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/network/interfaces", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-toolset", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180706build2" }, "kano-video": { "issues": [ { "failed_md5sum": true, "is_conf": false, "path": "/usr/share/applications/auto_video-cli.desktop", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "kano-video", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180628" }, "lightdm": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/lightdm/lightdm.conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "lightdm", "status": "ii", "type": "debianpackage", "version": "1.18.3-1" }, "login": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/pam.d/login", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "login", "status": "ii", "type": "debianpackage", "version": "1:4.4-4.1" }, "make-light": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/make-light-powerup_conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/make-light_conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "make-light", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180628" }, "make-music": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/make_music_conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "make-music", "status": "ii", "type": "debianpackage", "version": "4.0.0-0.20180613" }, "openbox": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/xdg/openbox/rc.xml", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "openbox", "status": "ii", "type": "debianpackage", "version": "3.6.1-4+rpi6" }, "openbox-lxde-session": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/xdg/lxsession/LXDE/autostart", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": true, "path": "/etc/xdg/openbox/LXDE/rc.xml", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "openbox-lxde-session", "status": "ii", "type": "debianpackage", "version": "0.99.2-3" }, "passwd": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/default/useradd", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "passwd", "status": "ii", "type": "debianpackage", "version": "1:4.4-4.1" }, "preload": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/preload.conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "preload", "status": "ii", "type": "debianpackage", "version": "0.6.4-2" }, "procps": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sysctl.conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "procps", "status": "ii", "type": "debianpackage", "version": "2:3.3.12-3+deb9u1" }, "raspberrypi-sys-mods": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/010_pi-nopasswd", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "raspberrypi-sys-mods", "status": "ii", "type": "debianpackage", "version": "20180328+1" }, "rpi-chromium-mods": { "issues": [ { "is_stable": false, "raw_status": "rc", "type": "statusissue" } ], "name": "rpi-chromium-mods", "status": "rc", "type": "debianpackage", "version": "20180509" }, "sudo": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": true, "path": "/etc/sudoers.d/README", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "sudo", "status": "ii", "type": "debianpackage", "version": "1.8.19p1-2.1" }, "systemd": { "issues": [ { "failed_md5sum": true, "is_conf": true, "path": "/etc/systemd/system.conf", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "systemd", "status": "ii", "type": "debianpackage", "version": "232-25+deb9u2" }, "wpasupplicant": { "issues": [ { "failed_md5sum": true, "is_conf": false, "path": "/sbin/wpa_cli", "raw_rpm_checks": "??5??????", "type": "integrityissue" }, { "failed_md5sum": true, "is_conf": false, "path": "/sbin/wpa_supplicant", "raw_rpm_checks": "??5??????", "type": "integrityissue" } ], "name": "wpasupplicant", "status": "ii", "type": "debianpackage", "version": "2:2.6-15" } }
By installing this on the system we can easily extend it in the future and also run it at OS image build time.
If we ever consider this to be user facing, it would be nice to implement this functionality directly in C++ using https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/src/verify.c#n96 as the library.
Sample output: