Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Andrew Gaffney <agaffney@×××××××××××.com>
To: gentoo-security <gentoo-security@l.g.o>
Subject: [gentoo-security] tripwire-ish portage scanner
Date: Thu, 25 Mar 2004 18:48:00
Message-Id: 40632901.2020102@skylineaero.com
1 I've come up with a quick n' dirty Perl script to use portage's MD5s in a tripwire fashion.
2
3 <code>
4 #!/usr/bin/perl
5
6 use strict;
7 use warnings;
8
9 my @files;
10
11 sub get_portage_info() {
12 opendir CAT, "/var/db/pkg";
13 foreach my $category (readdir CAT) {
14 next if($category =~ /^\./);
15 opendir PKG, "/var/db/pkg/${category}";
16 foreach my $package (readdir PKG) {
17 next if($package =~ /^\./);
18 open CONTENTS, "/var/db/pkg/${category}/${package}/CONTENTS" or next;
19 while(<CONTENTS>) {
20 if(/^obj (.+) (\w+) (\d+)$/) {
21 push @files, {file => "$1", pkg => "${category}/${package}", md5 => "$2", mtime
22 => "$3"};
23 }
24 }
25 close CONTENTS;
26 }
27 closedir PKG;
28 }
29 closedir CAT;
30 }
31
32 sub check_md5($$) {
33 my ($file, $portagemd5) = @_;
34 my $currentmd5 = `md5sum "$file"`;
35 $currentmd5 =~ s/^(\w+) .+$/$1/;
36 chomp $currentmd5;
37
38 return ($currentmd5 eq $portagemd5);
39 }
40
41 # Actual program starts here
42
43 get_portage_info();
44
45 foreach (@files) {
46 if(!check_md5($_->{file}, $_->{md5})) {
47 print "WARNING! file '$_->{file}' in $_->{pkg} has MD5 mismatch\n";
48 }
49 }
50 </code>
51
52 It doesn't have support for checking prelinked binaries yet, but the system I ran it on
53 isn't prelinked, I believe. The results for my system can be seen at
54 <http://www.skylineaero.com/stuff/md5scan.log>. A lot of the Perl stuff is from
55 overlapping packages, non-default configs for stuff in /etc, but I don't know why there
56 are so many MD5 mismatches for all the Python stuff. Anyone have any idea?
57
58 --
59 Andrew Gaffney
60 Network Administrator
61 Skyline Aeronautics, LLC.
62 636-357-1548
63
64
65 --
66 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] tripwire-ish portage scanner Michel Wilson <michel@×××××××.net>
Report Message
Find on MARC Find on Google Groups