The Linux Page

Checking integrity of a Debian installation

You can check that all the packages currently installed on a Debian system (i.e. Debian, Ubuntu, etc.) with many different tools.

Root Kits

I run rkhunter to verify for root kits.

Some hackers replace a well known command such as ls or cat with a version that takes over your computer by becoming root without your consent and then hacking your system in all sorts of ways. In most cases, just the feat of installing such a tool requires the hacker to already have root access, so it generally doesn't happen, but better safe than sorry!

File Changes

I use tripwire to verify that system files do not change unless updated.

A set of system files should never change. For example, the /usr/bin/ls command very rarely changes. A tool such as tripwire checks each system file and emits a message whenever it detects a change. It checks permissions, date/time, size, md5 sum, and several other things on a large set of files (i.e. all the files under /usr/bin and /usr/lib, for example.)

The output of tripwire is sent to you by email so you can verify that you get what's expected (some things change all the time and if you don't see that, something's wrong!)

The tripwire utility can even be used on a standalone server because the files that tell it whether something changed are protected by a key. Unless the hacker knows the pass phrase, it will not be possible for him/her to actually prevent you from knowing that something happened. It won't tell you what, but you'll know that something awry.

Integrity Test

To see whether a file was modified, you can first check it using debsums. If that returns an error, you already know that something's fishy. The simplest usage is:

debsums <package name>

If you suspect that a file changed and don't know from which package it comes from, try:

dpkg -S /full/path/to/file

The output looks like <package name>: /full/path/to/file.

The problem of debsums is that it is easy for someone to go fix the md5 sum in the dpkg database. Very easy. So you cannot trust that tool if it tells you that it worked.

However, if it tells you that it is okay and still have doubts (you should!) you can always download the package from a trusted source (Debian, Ubuntu, etc.) and run the following command:

dpkg --fsys-tarfile <package>.deb | tar -C / -d

(Source: http://en.usenet.digipedia.org/thread/18248/14523/ )

This command extracts the data.tar.gz file from the specified .deb package and compares the files to the installed files using the tar tool.

Of course, if you think that dpkg and/or tar were tempered with, this may not actually work quite right either. As a last resort, you can reboot that server on a USB dongle or a CD and run a Linux Live which can then (1) download the package and then run the dpkg ... | tar ... command line. Then you'll know for sure.

Obviously, you want to make sure that you get the correct version of the package (i.e. know exactly which version you have installed.) You may list all your packages and versions with:

dpkg --list

(if you're on your live CD, make sure to tell dpkg to look at the right database...)