Checking integrity of the system

among666 · 2024-06-18 11:40:45

I want a command to check if the kernel or any files and programs have been maliciously tampered with. Pacman -Qkk linux-lts gives me a result of 0 altered files but I dont know how it considers a file trusted.

Allan · 2024-06-18 11:55:32

pacman -Qkk confirms the files size, checksum, and permissions have not changed.

gromit · 2024-06-18 11:58:21

Are you checking just because or do you actually suspect that somebody tampered with your system?

among666 · 2024-06-18 12:28:58

Allan wrote:

pacman -Qkk confirms the files size, checksum, and permissions have not changed.

I got sha256 checksum mismatch /etc/pacman.d/conf mismatch size mismatches permission mismatches and a gid mismatch is this normal? How far must the filesize and permissions deviate from what is considered normal?

among666 · 2024-06-18 12:30:06

gromit wrote:

Are you checking just because or do you actually suspect that somebody tampered with your system?

I know the computer has been tampered with but I want to know how I could tell.

gromit · 2024-06-18 12:32:35

I think https://lists.archlinux.org/archives/li … PYIWU75XQ/ also is useful for this purpose if I understand it correctly

Allan · 2024-06-18 21:43:53

among666 wrote:

Allan wrote:
pacman -Qkk confirms the files size, checksum, and permissions have not changed.
I got sha256 checksum mismatch /etc/pacman.d/conf mismatch size mismatches permission mismatches and a gid mismatch is this normal? How far must the filesize and permissions deviate from what is considered normal?

My guess is you edited a configuration file. Pacman can not tell the difference between your edits and malicious edits.

among666 · 2024-06-18 22:30:27

Allan wrote:

among666 wrote:
Allan wrote:
pacman -Qkk confirms the files size, checksum, and permissions have not changed.
I got sha256 checksum mismatch /etc/pacman.d/conf mismatch size mismatches permission mismatches and a gid mismatch is this normal? How far must the filesize and permissions deviate from what is considered normal?
My guess is you edited a configuration file. Pacman can not tell the difference between your edits and malicious edits.

Does this mean the command pacman -Qkk is useless?

WorMzy · 2024-06-18 23:12:22

Not at all, it gives you a list of files to check against your secure, offsite backups.

seth · 2024-06-19 08:27:26

Except the databases aren't signed - it's a maintainence tool, not a security one.

If you want to check the system against malicious tampering
1. this *has* to happen offline (ie. w/o booting the system because the compromisation might hide itself)
2. You need a known good external and locked away database of valid hashes for every file on the system - or the entire drive.
A malicious actor could simply shadow binaries in paths not tracked by the package manager (/usr/local) or even attack a specific user w/ LD_LIBRARY_PATH & LD_PRELOAD, so "pacman -Qkk looks god" doesn't indicate "this system hasn't been compromised" at all.

Also the rule of thumb is that a known compromised system can no longer be trusted and has to be nuked and replaced from a known good master/backup - attacks don't require system file replacements at all - a subtle touch-up of the sshd config might get the job done.

And that's even ignoring concerns regarding the UEFI - or that you might have actively (but unknowingly) installed malware and signed off on it.

Arch Linux

#1 2024-06-18 11:40:45

Checking integrity of the system

#2 2024-06-18 11:55:32

Re: Checking integrity of the system

#3 2024-06-18 11:58:21

Re: Checking integrity of the system

#4 2024-06-18 12:28:58

Re: Checking integrity of the system

#5 2024-06-18 12:30:06

Re: Checking integrity of the system

#6 2024-06-18 12:32:35

Re: Checking integrity of the system

#7 2024-06-18 21:43:53

Re: Checking integrity of the system

#8 2024-06-18 22:30:27

Re: Checking integrity of the system

#9 2024-06-18 23:12:22

Re: Checking integrity of the system

#10 2024-06-19 08:27:26

Re: Checking integrity of the system

Board footer