Checking system integrity

I looked around for a solution to check an installed PureOS/Debian system against given repositories.

The checking should be done by starting a program/script in a rescue system that has access to the filesystem(s) of the system to be checked (boot from cd, boot from usb, connect hard drive to a trusted computer, etc.).

Features:

  • should be startable from a boot-cd or boot-usb
  • gives back a status for all files on a given directory tree which contains a debian / pureos system
  • status of each file is either known good, config file changed, known bad, unknown
  • compares files to content of given repositories
  • should not rely on data that has been gathered ahead of checking (like e.g. tiger package or debsums)

File status explanation:

  • known good: the file is owned by a package and is binary equal to the file(s) from the repositories
  • config file changed: the file is owned by a package and known as a config file and has been changed
  • known bad: the file is owned by a package, is not a config file and binary differs at least to the file download from one repository
  • unknown: file is not owned by a package (and should probably be checked by other means)

I didn’t find anything with this functionality. Does anybody know some software which can do this?

3 Likes

While an interesting idea, I’m curious about the practicality with each package file having multiple iterations, this would have to check against every possible iteration, which I suspect would be very time consuming, and would a file that was downgraded count as ok, bad (might have been downgraded to take advantage of an exploit), modified (may have been intentionally downgraded by the owner of the system for another package), or ???

The idea is interesting to me, this is just my initial thoughts on some challenges with the concept. I too would love to hear of something like this that has been thoroughly thought out.

2 Likes

While not exactly what you asked for, maybe have a look at Tripwire or AIDE?

Wikipedia also has a comparison of Intrusion Detection Systems.

Some/most (?) of these tools work by comparing a known good state with the current state, so ideally you should run them directly after installing your system, plus before and after every upgrade. And to be able to trust the results, you need to save the state on external media, so malware can’t alter it.

3 Likes

In addition, you could use the OpenSCAP workbench to check that installed files match what is in the repos. It has a profile for Debian that probably works for PureOS.

Another auditing tool to consider is Lynis.

Be aware, though, that these tools check a very large list of things, and you will get reports that require deep knowledge of your system to understand. Don’t blindly apply the suggested fixes! I did, leading to breakage…

3 Likes

@OpojOJirYAlG

Very good point!

I think this doesn’t matter - at least in the context I’m thinking about. One would start the validation and just wait the time that is needed. I’m not thinking of production systems in use. My initial thought went more in the direction of forensics and validating a preinstalled new computer.

Good question. I’d suggest the following:

By going through all the packages and their version used in the system it would be possible to determine which has been the latest version of each package at that point of time when the newest package had been installed.

Any package older than its version at that point of time would make the package suspicious - at least “unknown”.

Well, either someone can point us to a known software or maybe there’ll derive a good concept from the discussion, that could be made into a project.

From the points you made I’d think that maybe doing all the checking online against the repos is indeed a bit complicated and the process should maybe be split in two parts:

  • gathering information needed
  • comparing systems against the gathered information

@lipu

Thanks a lot for all the suggestions. I already had looked into some of the software and looked about its description again.

I didn’t find which part of the projects might serve the function I’m looking for. If I missed it and you know it, please point me in the right direction.

Generally I’d think that intrusion detection is something different from an integrity check of a system (which I’m looking for). The integrity of a system (compared to the repositories it had been installed from) can also be broken by e.g. a bad disk sector - totally without any attacker beside product quality and wear.

Edit: Just found debsum2 and an adapted version for python3.

Didn’t look closer, but looks like it provides some of the functionality.

2 Likes

Sorry, I now realize I didn’t read you initial post thoroughly enough. You clearly wanted to avoid relying on data gathered beforehand, so that excludes Tripwire et al.

OpenSCAP could still be an option for you; it does do two integrity checks on Fedora:

  • Verify and Correct File Permissions with RPM
  • Verify File Hashes with RPM

It might use debsum in the Debian profile, but I don’t know.