I understand that I can run the following command to verify the
installation footpring of a package:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

If the attacker has managed to subvert <package>, he could also have
managed to subvert the dpkg audit command itself. Therefore, I cannot trust
the self-referential audit:

dpkg -V dpkg

Therefore, I want to run the self-audit of the dpkg command from another system.

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot
print of dpkg in /mnt/audit from this second computer.

What command do I execute next on my second computer? Is there an option
that allows me to do something similar to the following:

dpkg -V dpkg --remote-target /mnt/audit

Is there a way to audit the installation footprint of a package on one
computer from a second computer?

<div dir="ltr">I understand that I can run the following command to verify the installation footpring of a package:<br><br>dpkg -V &lt;package&gt;<br><br>The reason why I am carrying out this audit is, however, because I somehow suspect that the system
could be compromised.<br><br>If the attacker has managed to subvert &lt;package&gt;, he could also have managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:<br><br>dpkg -V dpkg<br><br>Therefore, I want
to run the self-audit of the dpkg command from another system.<br><br><div>So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from
this second computer.</div><div><br></div><div>What command do I execute next on my second computer? Is there an option that allows me to do something similar to the following:</div><br><div>dpkg -V dpkg --remote-target /mnt/audit</div><div><br></div><

Is there a way to audit the installation footprint of a package on one computer from a second computer?<br></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I haven't tried it with your use case, but you may be able to use
debsums[1] for this. I know it has a bunch of options, including
options to specify a list of checksums and directory to check.

[1] https://tracker.debian.org/pkg/debsums


On Thu, Jan 14, 2021 at 05:56:29PM +0700, Erik Poupaert wrote:

I understand that I can run the following command to verify the
installation footpring of a package:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

If the attacker has managed to subvert <package>, he could also have
managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:

dpkg -V dpkg

Therefore, I want to run the self-audit of the dpkg command from another system.

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from this second computer.

What command do I execute next on my second computer? Is there an option
that allows me to do something similar to the following:

dpkg -V dpkg --remote-target /mnt/audit

Is there a way to audit the installation footprint of a package on one computer from a second computer?

--
GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 14 Jan 2021 at 21:57, Erik Poupaert <erik@sankuru.biz> wrote:

Is there a way to audit the installation footprint of a package on one computer from a second computer?

Assuming they're the same versions, something along the lines of;
$ awk '{print $1" /mnt/audit/"$2}' /var/lib/dpkg/info/dpkg.md5sums |md5sum -c -

Otherwise;
$ apt install --reinstall --download-only dpkg=$VERSION
$ dpkg-deb -e /var/cache/apt/archives/dpkg_$VERSION_$ARCH.deb /tmp/dpkg
$ awk '{print $1" /mnt/audit/"$2}' /tmp/dpkg/md5sums |md5sum -c -

I suppose once you've verified that, you could theoretically* run;
$ chroot /mnt/audit dpkg -V

But that's assuming checksums in the dpkg database haven't been modified,
so you'll probably want to download every package;
$ cat /tmp/apt.conf <EOF
Dir "/mnt/"
{
State::status "/mnt/audit/var/lib/dpkg/status";
Cache "/tmp/archives";
};
EOF
$ grep-dctrl -FStatus installed -n -s Package \
/mnt/audit/var/lib/dpkg/status > /tmp/installed
$ mkdir -p /tmp/archives/partial
$ APT_CONFIG=/tmp/apt.conf apt-get install $(cat /tmp/installed)

And finally audit with debsums
$ debsums --all --changed --generate=all --root=/mnt/audit \
--deb-path=/tmp/archives $(cat /tmp/installed)

* Haven't tested either of these

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/01/21 11:56, Erik Poupaert wrote:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

as suggested you can use debsums

you can also use

* to detect missing or unexplained files
cruft

Note: the output can be very very long, save it to a file and set the
--ignore flag to directory where you are sure there are no problems

* to detect rootkit
chkrootkit
rkhunter

If your system is compromised and try to understand from where they come
in or you want to check for vulnerability on your system you can use (I
never try these):
checksecurity
tiger

To see open security bugs on installed package:
debian-security-support

Note that, in theory, your system can be compromised with code in
RAM/GPU MEMORY/BIOS/UEFI/...
For RAM and similar you can solve restarting your PC with a trusted
system, but for others normally you are unable to check if something is
wrong and from that PC can be that you cannot start a trusted system

I'm not a security expert, but this thinks is very interesting...

Ciao
Davide

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi, there is already useful information from other debianers.
I just list tools and features below.

Tools
- debsum
- AIDE[1]
- ...

Features (of Linux kernel)
- IMA-EVM [1]
- fs-verity [3]
- ...

I think the debsum tool is a proper way for your use cases provided that
you protect the integrity of checksum files
securely. You need to get the files and isolate them from packages, apt-repository, and the remote filesystem.


[1] https://aide.github.io/
[2] http://linux-ima.sourceforge.net/
[3] https://www.kernel.org/doc/html/latest/filesystems/fsverity.html

2021년 1월 14일 (목) 오후 7:57, Erik Poupaert <erik@sankuru.biz>님이 작성:

I understand that I can run the following command to verify the
installation footpring of a package:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

If the attacker has managed to subvert <package>, he could also have
managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:

dpkg -V dpkg

Therefore, I want to run the self-audit of the dpkg command from another system.

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from this second computer.

What command do I execute next on my second computer? Is there an option
that allows me to do something similar to the following:

dpkg -V dpkg --remote-target /mnt/audit

Is there a way to audit the installation footprint of a package on one computer from a second computer?

<div dir="ltr"><div>Hi, there is already useful information from other debianers.</div><div>I just list tools and features below.</div><div><br></div>Tools<div>- debsum</div><div>- AIDE[1]</div><div>- ...</div><div><br></div><div>Features (of Linux
kernel)</div><div>- IMA-EVM [1]</div><div>- fs-verity [3]</div><div>- ...<br><div><div><br></div><div>I think the debsum tool is a proper way for your use cases provided that you protect the integrity of checksum files</div><div>securely. You need to
get the files and isolate them from packages, apt-repository, and the remote filesystem.</div><div><br></div><div><br></div><div>[1] <a href="https://aide.github.io/">https://aide.github.io/</a><br></div></div></div><div>[2] <a href="http://linux-ima.
sourceforge.net/">http://linux-ima.sourceforge.net/</a></div><div>[3] <a href="https://www.kernel.org/doc/html/latest/filesystems/fsverity.html">https://www.kernel.org/doc/html/latest/filesystems/fsverity.html</a></div></div><br><div class="gmail_quote">
<div dir="ltr" class="gmail_attr">2021년 1월 14일 (목) 오후 7:57, Erik Poupaert &lt;<a href="mailto:erik@sankuru.biz">erik@sankuru.biz</a>&gt;님이 작성:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px
solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I understand that I can run the following command to verify the installation footpring of a package:<br><br>dpkg -V &lt;package&gt;<br><br>The reason why I am carrying out this audit is, however,
because I somehow suspect that the system could be compromised.<br><br>If the attacker has managed to subvert &lt;package&gt;, he could also have managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:<br><

dpkg -V dpkg<br><br>Therefore, I want to run the self-audit of the dpkg command from another system.<br><br><div>So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the

installation foot print of dpkg in /mnt/audit from this second computer.</div><div><br></div><div>What command do I execute next on my second computer? Is there an option that allows me to do something similar to the following:</div><br><div>dpkg -V dpkg
--remote-target /mnt/audit</div><div><br></div><div>Is there a way to audit the installation footprint of a package on one computer from a second computer?<br></div></div>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jan 14, 2021 at 12:57 PM Erik Poupaert <erik@sankuru.biz> wrote:

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from this second computer.

As pointed by others, integrity of checksums doesn't guarantee lack of backdoor, since the backdoor can be in other places, not seen by
mount(8).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)