#!/bin/bash # Scan an ArchLinux system against the official packages for modification or # tampering of installed files # Copyright (c) 2009, Olivier Mehani # All rights reserved. # # $Id$ # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # 3. Neither the name of Olivier Mehani nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # PACKAGES=`pacman -Qs | sed -n "s#local\/\([-a-z0-9_]\+\) \([-\.0-9a-z]\+\).*#\1-\2#p"` CACHEDIR="/var/cache/pacman/pkg" WORKDIR=`mktemp -t -d arch_check.XXXXXXXXXX` LOGFILE=`pwd`/arch_check.`date +%Y%m%d-%H%M` echo "Checking installed Arch system against packages" echo ">> Considering `echo ${PACKAGES} | wc -w` packages" echo ">> Working in ${WORKDIR}" cat >> ${LOGFILE} << EOF $0 started at `date` Workdir: ${WORKDIR} EOF for PKG in ${PACKAGES}; do echo ">> Considering ${PKG}" cd ${WORKDIR} rm -rf * pacman -Ss -w ${PKG} PKG_ARCHIVE=`ls ${CACHEDIR}/${PKG}-*.pkg.tar.gz 2> /dev/null` if [ ! -z "${PKG_ARCHIVE}" ]; then tar xzf ${PKG_ARCHIVE} rm -f .PKGINFO .CHANGELOG .INSTALL .FILELIST for FILE in `find . -type f`; do LOCAL_SUM=`md5sum /${FILE} | cut -d" " -f 1` SHIPPED_SUM=`md5sum ${FILE} | cut -d" " -f 1` if [ "${LOCAL_SUM}" != "${SHIPPED_SUM}" ]; then echo "!! MD5 mismatch for \`${FILE}' in \`${PKG_ARCHIVE}' (${LOCAL_SUM} instead of ${SHIPPED_SUM})" echo "MD5 mismatch for \`${FILE}' in \`${PKG_ARCHIVE}' (${LOCAL_SUM} instead of ${SHIPPED_SUM})" >> ${LOGFILE} else LOCAL_SUM=`sha1sum /${FILE} | cut -d" " -f 1` SHIPPED_SUM=`sha1sum ${FILE} | cut -d" " -f 1` if [ "${LOCAL_SUM}" != "${SHIPPED_SUM}" ]; then echo "!! SHA1 mismatch for \`${FILE}' in \`${PKG_ARCHIVE}' (${LOCAL_SUM} instead of ${SHIPPED_SUM})" echo " SHA1 mismatch for \`${FILE}' in \`${PKG_ARCHIVE}' (${LOCAL_SUM} instead of ${SHIPPED_SUM})" >> ${LOGFILE} fi fi done else echo "!! No ${CACHEDIR}/${PKG}-*.pkg.tar.gz found" echo "No ${CACHEDIR}/${PKG}-*.pkg.tar.gz found" >> ${LOGFILE} fi done rm -rf ${WORKDIR}