1 |
I've come up with a quick n' dirty Perl script to use portage's MD5s in a tripwire fashion. |
2 |
|
3 |
<code> |
4 |
#!/usr/bin/perl |
5 |
|
6 |
use strict; |
7 |
use warnings; |
8 |
|
9 |
my @files; |
10 |
|
11 |
sub get_portage_info() { |
12 |
opendir CAT, "/var/db/pkg"; |
13 |
foreach my $category (readdir CAT) { |
14 |
next if($category =~ /^\./); |
15 |
opendir PKG, "/var/db/pkg/${category}"; |
16 |
foreach my $package (readdir PKG) { |
17 |
next if($package =~ /^\./); |
18 |
open CONTENTS, "/var/db/pkg/${category}/${package}/CONTENTS" or next; |
19 |
while(<CONTENTS>) { |
20 |
if(/^obj (.+) (\w+) (\d+)$/) { |
21 |
push @files, {file => "$1", pkg => "${category}/${package}", md5 => "$2", mtime |
22 |
=> "$3"}; |
23 |
} |
24 |
} |
25 |
close CONTENTS; |
26 |
} |
27 |
closedir PKG; |
28 |
} |
29 |
closedir CAT; |
30 |
} |
31 |
|
32 |
sub check_md5($$) { |
33 |
my ($file, $portagemd5) = @_; |
34 |
my $currentmd5 = `md5sum "$file"`; |
35 |
$currentmd5 =~ s/^(\w+) .+$/$1/; |
36 |
chomp $currentmd5; |
37 |
|
38 |
return ($currentmd5 eq $portagemd5); |
39 |
} |
40 |
|
41 |
# Actual program starts here |
42 |
|
43 |
get_portage_info(); |
44 |
|
45 |
foreach (@files) { |
46 |
if(!check_md5($_->{file}, $_->{md5})) { |
47 |
print "WARNING! file '$_->{file}' in $_->{pkg} has MD5 mismatch\n"; |
48 |
} |
49 |
} |
50 |
</code> |
51 |
|
52 |
It doesn't have support for checking prelinked binaries yet, but the system I ran it on |
53 |
isn't prelinked, I believe. The results for my system can be seen at |
54 |
<http://www.skylineaero.com/stuff/md5scan.log>. A lot of the Perl stuff is from |
55 |
overlapping packages, non-default configs for stuff in /etc, but I don't know why there |
56 |
are so many MD5 mismatches for all the Python stuff. Anyone have any idea? |
57 |
|
58 |
-- |
59 |
Andrew Gaffney |
60 |
Network Administrator |
61 |
Skyline Aeronautics, LLC. |
62 |
636-357-1548 |
63 |
|
64 |
|
65 |
-- |
66 |
gentoo-security@g.o mailing list |