system-integrity-check-0.2/0002755000175000000500000000000010630725662015105 5ustar fabbionesrcsystem-integrity-check-0.2/parser.c0000644000175000000500000001174110357510476016550 0ustar fabbionesrc// Posix is for wimps, clearly. #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef PACKAGES # define PACKAGES "/var/cache/system-integrity-check/Packages" #endif #ifndef PKGLIST # define PKGLIST "/var/cache/system-integrity-check/pkglist" #endif #ifndef OUTLIST # define OUTLIST "/var/cache/system-integrity-check/outlist" #endif #ifndef DEBIANARCH # error "dude.. gimme a break eh?" #endif #define DEBIANARCH_DEB DEBIANARCH ".deb\n" int main() { FILE *packages_fd; FILE *pkglist_fd; FILE *outlist_fd; char *package_line = 0; char *pkglist_line = 0; size_t len; ssize_t read; di_hash_table *hashtable; packages_fd=fopen(PACKAGES, "r"); if (packages_fd == NULL) { printf("cannot open %s: %s\n", PACKAGES, strerror(errno)); return 1; } pkglist_fd=fopen(PKGLIST, "r"); if (pkglist_fd == NULL) { printf("cannot open %s: %s\n", PKGLIST, strerror(errno)); return 1; } outlist_fd=fopen(OUTLIST, "w+"); if (outlist_fd == NULL) { printf("cannot open %s: %s\n", OUTLIST, strerror(errno)); return 1; } /* here start the dance :) */ // TODO: initialize the hash table before we hit algo. // di_hash_table_new by default eats keys or values, but // won't ever free them. You have to make sure there are no dups, // and that you don't ever care if they're freed or not. // Since we care about such things, we'll use di_hash_table_new_full. hashtable = di_hash_table_new(di_rstring_hash, di_rstring_equal); /* algorithm: (however it's spelled) */ // Note: We need a unique key to lookup. The Package file // will contain alot of data we don't care about. What we DO // care about is *our* arch, and arch: all. We have the promise // that there we never be a conflcit with these two values different. // Is there a promise that there's only one version in the pool list? no. // the problem is that sometimes pkgs move between main/universe. We don't want // to spend time to track that, because we don't care. so you might have more // than one result for the same pkg/version but they are supposed to be exactly // the same (and they are) so we keep the first and stop. // // Given this, we will encode the hash string as PACKAGE_VERSION. Having // _ in a package name is (IIRC) illegal in Debian, so this gives us // a non conflicting string. It also means we never have to parse the // version out. // For each line in Packages: while ((read = getline(&package_line, &len, packages_fd)) != -1) { char *package, *arch; di_rstring *key; // Parse out the package and version. // The packages file is in the format: // (noise/)+PACKAGE_VERSION_ARCH\.deb // Given that / is illegal, find the last / and start from there // and construct the hash key. package = rindex(package_line, '/'); package++; arch = rindex(package_line, '_'); arch++; // Discard those that don't match our arch or any. if ((strcmp(arch,"all.deb\n") != 0) && (strcmp(arch,DEBIANARCH_DEB) != 0)) { continue; } // This gets sent into the hashtable // annoying as being assfucked we need to allocate each struct key = malloc(sizeof(struct di_rstring)); key->string = strndup(package, (arch - package - 1)); key->size = strlen(key->string); // Load the string read in from Packages into the hashtable. // still more annoying as being assfucked we need to copy the package_line again. di_hash_table_insert(hashtable, key, strdup(package_line)); // If there's a conflict, that's okay. There is a promise that // if a given package/arch/version exists in multiple places, that it's // the exactly same file. // Clean up. if (package_line) { free(package_line); package_line = 0; } } while ((read = getline(&pkglist_line, &len, pkglist_fd)) != -1) { char *out=0; char *pkg=0; char *ver=0; char *epoch=0; di_rstring realkey; // For each line in pkglist: // Parse pkg ver to create the key. Remember to strip epoch from ver! pkg = strndup(pkglist_line,(index(pkglist_line, ' ') - pkglist_line)); ver = strdup((index(pkglist_line, ' ') + 1)); // Start writing to the file fwrite(pkglist_line, strlen(pkglist_line), 1, outlist_fd); // Hack around epoch if(index(ver, ':')) { epoch = strdup((index(ver, ':') + 1)); free(ver); ver = epoch; epoch = 0; } // Create the key asprintf(&realkey.string, "%s_%s", pkg,ver); realkey.size = (strlen(realkey.string) - 1); // Retrieve the stored value from the hash. out = di_hash_table_lookup(hashtable, &realkey); // Print the stored string to a file // (NOTE for fabio: remember case in which there is no match // must return error to d-i somehow) if (out) { fwrite(out, strlen(out), 1, outlist_fd); } else { fwrite("\n", 1, 1, outlist_fd); } free(realkey.string); free(ver); free(pkg); out = 0; pkglist_line = 0; } /* and here it should finish :) */ fclose(outlist_fd); return 0; } system-integrity-check-0.2/debian/0002755000175000000500000000000010630725552016325 5ustar fabbionesrcsystem-integrity-check-0.2/debian/compat0000644000175000000500000000000210341031515017505 0ustar fabbionesrc4 system-integrity-check-0.2/debian/changelog0000644000175000000500000000056410630725477020210 0ustar fabbionesrcsystem-integrity-check (0.2) gutsy; urgency=low * Depends: wget-udeb -- Fabio M. Di Nitto Mon, 04 Jun 2007 08:03:39 +0200 system-integrity-check (0.1) edgy; urgency=low * First release. (Colin Watson) * Itaglish to english translation of debconf template. -- Fabio M. Di Nitto Wed, 23 Aug 2006 17:15:57 +0100 system-integrity-check-0.2/debian/copyright0000644000175000000500000000176110473077604020266 0ustar fabbionesrcThis package was debianized by Fabio M. Di Nitto on Wed, 23 Nov 2005 10:17:04 +0100. Upstream Author: Fabio M. Di Nitto Copyright: Copyright © 2005/2006 Canonical Ltd. This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Ubuntu systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. system-integrity-check-0.2/debian/control0000644000175000000500000000062310630725524017726 0ustar fabbionesrcSource: system-integrity-check Section: debian-installer Priority: optional Maintainer: Fabio M. Di Nitto Standards-Version: 3.6.2 Build-Depends: debhelper (>= 4.2.28), libdebian-installer4-dev Package: system-integrity-check Section: debian-installer Priority: optional Architecture: any Depends: rescue-mode, wget-udeb XC-Package-Type: udeb Description: Package Integrity Check system-integrity-check-0.2/debian/rules0000755000175000000500000000075310473101473017403 0ustar fabbionesrc#!/usr/bin/make -f build: $(MAKE) install: build dh_testdir dh_testroot dh_clean -k dh_install -psystem-integrity-check lib install -m 0755 parser debian/system-integrity-check/lib/system-integrity-check/parser binary-indep: # do nothing binary-arch: install dh_testdir dh_testroot dh_strip -a dh_installdebconf -a dh_compress -a dh_fixperms -a dh_installdeb -a dh_gencontrol -a dh_builddeb -a binary: binary-arch binary-indep clean: dh_testdir dh_clean make clean system-integrity-check-0.2/debian/po/0002755000175000000500000000000010473101627016737 5ustar fabbionesrcsystem-integrity-check-0.2/debian/po/POTFILES.in0000644000175000000500000000007310473101615020507 0ustar fabbionesrc[type: gettext/rfc822deb] system-integrity-check.templates system-integrity-check-0.2/debian/po/templates.pot0000644000175000000500000001415110473101626021460 0ustar fabbionesrc# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: fabbione@ubuntu.com\n" "POT-Creation-Date: 2006-08-23 18:34+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: text #. Description #: ../system-integrity-check.templates:1001 msgid "Perform package integrity check" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "Package Integrity Check" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "" "Package Integrity Check is a tool that will check the integrity of all the " "known files installed on the system by comparing their information with a " "known source, pulling data from a trusted archive via HTTP." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "" "Running the tool and reading the final report can give the user an " "indication of whether the system has been compromised." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "IMPORTANT NOTES" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "In order to operate the system must have network access (HTTP)." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "" "Package Integrity Check is NOT a full IDS replacement. It can only check " "files recorded in the dpkg database. It will not report any information " "about unknown files. Since it relies on the system dpkg database to decide " "what to check, it is not yet sufficient to detect modifications made by a " "competent attacker." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "" "PIC can take a long time to perform a full scan of the system. In some cases " "its final report might contain false positives." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:2001 msgid "All data in the report must be triple-checked manually." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:3001 msgid "Package Integrity Check completed" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:3001 msgid "The scan of the target system has been completed." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:3001 msgid "A report of the scan can be found here:" msgstr "" #. Type: text #. Description #. Type: error #. Description #. Type: error #. Description #: ../system-integrity-check.templates:3001 #: ../system-integrity-check.templates:9001 #: ../system-integrity-check.templates:10001 msgid "${SUBST0}" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:3001 msgid "" "Switch to the second console (Alt+F2) to check the report. The report has " "not been stored on the target system." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:3001 msgid "Have a nice day." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:4001 msgid "Running Package Integrity Check" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:5001 msgid "Extracting installed packages list" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:6001 msgid "Fetching ${SUBST0}" msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:7001 msgid "Processing ${SUBST0}" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:8001 msgid "Unable to gather packages information" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:8001 msgid "" "Please make sure that /target/var/lib/dpkg/status exists and is a valid " "status file." msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:8001 msgid "A backup copy is usually stored in /target/var/lib/dpkg/status.bak." msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:9001 msgid "Unable to access http://${HOST}/" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:9001 msgid "There has been an error while fetching" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:9001 msgid "Please make sure your network is configured properly." msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:10001 msgid "Unable to verify md5 checksum" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:10001 msgid "There has been an error while verifying" msgstr "" #. Type: error #. Description #: ../system-integrity-check.templates:10001 msgid "" "This error might happen if either ${HOST} is regenerating files or there is " "a generic HTTP proxy between this machine and the server that does not " "expire its cache properly." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:11001 msgid "Unable to verify md5sum of ${SUBST0}. Skipping." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:12001 msgid "Unable to fetch ${SUBST0}. Skipping." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:13001 msgid "" "Unable to find information for ${SUBST0} in version ${SUBST1}. Skipping." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:14001 msgid "${SUBST0}: ${SUBST1} symlink has been changed." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:15001 msgid "${SUBST0}: ${SUBST1} symlink is missing." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:16001 msgid "${SUBST0}: ${SUBST1} file is missing." msgstr "" #. Type: text #. Description #: ../system-integrity-check.templates:17001 msgid "${SUBST0}: ${SUBST1} md5sum mismatch." msgstr "" system-integrity-check-0.2/debian/po/output0000644000175000000500000000000710345543677020232 0ustar fabbionesrc2 utf8 system-integrity-check-0.2/debian/system-integrity-check.templates0000644000175000000500000000703510473101600024646 0ustar fabbionesrcTemplate: rescue/menu/system-integrity-check Type: text _Description: Perform package integrity check Template: rescue/system-integrity-check/intro Type: text _Description: Package Integrity Check Package Integrity Check is a tool that will check the integrity of all the known files installed on the system by comparing their information with a known source, pulling data from a trusted archive via HTTP. . Running the tool and reading the final report can give the user an indication of whether the system has been compromised. . IMPORTANT NOTES . In order to operate the system must have network access (HTTP). . Package Integrity Check is NOT a full IDS replacement. It can only check files recorded in the dpkg database. It will not report any information about unknown files. Since it relies on the system dpkg database to decide what to check, it is not yet sufficient to detect modifications made by a competent attacker. . PIC can take a long time to perform a full scan of the system. In some cases its final report might contain false positives. . All data in the report must be triple-checked manually. Template: system-integrity-check/report Type: text _Description: Package Integrity Check completed The scan of the target system has been completed. . A report of the scan can be found here: . ${SUBST0} . Switch to the second console (Alt+F2) to check the report. The report has not been stored on the target system. . Have a nice day. Template: system-integrity-check/progress/title Type: text _Description: Running Package Integrity Check Template: system-integrity-check/progress/info-extract Type: text _Description: Extracting installed packages list Template: system-integrity-check/progress/info-fetch Type: text _Description: Fetching ${SUBST0} Template: system-integrity-check/progress/info-pkg Type: text _Description: Processing ${SUBST0} Template: system-integrity-check/dpkg-status-error Type: error _Description: Unable to gather packages information Please make sure that /target/var/lib/dpkg/status exists and is a valid status file. . A backup copy is usually stored in /target/var/lib/dpkg/status.bak. Template: system-integrity-check/wget-error Type: error _Description: Unable to access http://${HOST}/ There has been an error while fetching . ${SUBST0} . Please make sure your network is configured properly. Template: system-integrity-check/md5-check-error Type: error _Description: Unable to verify md5 checksum There has been an error while verifying . ${SUBST0} . This error might happen if either ${HOST} is regenerating files or there is a generic HTTP proxy between this machine and the server that does not expire its cache properly. Template: system-integrity-check/report/md5-check-error Type: text _Description: Unable to verify md5sum of ${SUBST0}. Skipping. Template: system-integrity-check/report/wget-error Type: text _Description: Unable to fetch ${SUBST0}. Skipping. Template: system-integrity-check/report/grep-error Type: text _Description: Unable to find information for ${SUBST0} in version ${SUBST1}. Skipping. Template: system-integrity-check/report/symlink-change Type: text _Description: ${SUBST0}: ${SUBST1} symlink has been changed. Template: system-integrity-check/report/missing-symlink Type: text _Description: ${SUBST0}: ${SUBST1} symlink is missing. Template: system-integrity-check/report/missing-file Type: text _Description: ${SUBST0}: ${SUBST1} file is missing. Template: system-integrity-check/report/md5-mismatch Type: text _Description: ${SUBST0}: ${SUBST1} md5sum mismatch. system-integrity-check-0.2/lib/0002755000175000000500000000000010351465173015651 5ustar fabbionesrcsystem-integrity-check-0.2/lib/rescue.d/0002755000175000000500000000000010473102251017347 5ustar fabbionesrcsystem-integrity-check-0.2/lib/rescue.d/90system-integrity-check0000755000175000000500000000702710473102250024064 0ustar fabbionesrc#! /bin/sh -e . /usr/share/debconf/confmodule . /lib/system-integrity-check/envinfo . /lib/system-integrity-check/getpkginfo . /lib/system-integrity-check/wgetfile . /lib/system-integrity-check/checkpkg db_capb db_progress START 0 4 system-integrity-check/progress/title db_progress INFO system-integrity-check/progress/info-extract mkdir -p /var/cache/system-integrity-check wgetfile fatal http://$host/Packages.gz /var/cache/system-integrity-check/Packages.gz wgetfile fatal http://$host/Packages.gz.md5 /var/cache/system-integrity-check/Packages.gz.md5 cd /var/cache/system-integrity-check/ if [ "$(md5sum Packages.gz)" != "$(cat Packages.gz.md5)" ]; then db_subst system-integrity-check/md5-check-error HOST "$host" db_subst system-integrity-check/md5-check-error SUBST0 "http://$host/pool/Packages.gz" db_input critical system-integrity-check/md5-check-error db_go || true exit 1 fi zcat Packages.gz > Packages rm Packages.gz Packages.gz.md5 cd / db_progress STEP 1 if ! print_pkg_list_from_status; then db_input critical system-integrity-check/dpkg-status-error db_go || true exit 1 fi db_progress STEP 1 pkgnum="$(cat /var/cache/system-integrity-check/pkglist | wc -l)" if [ $pkgnum -le 0 ]; then db_input critical system-integrity-check/dpkg-status-error db_go || true exit 1 fi # make the progress bar nicer pkgnum="$(expr $pkgnum \* 2)" db_progress STEP 1 /lib/system-integrity-check/parser db_progress STEP 1 db_progress STOP # go for the real check db_progress START 0 $pkgnum system-integrity-check/progress/title while read pkg ver <&9; do read poolname <&9 if [ -n "$poolname" ]; then pkgname="$(basename $poolname).md5" db_subst system-integrity-check/progress/info-fetch SUBST0 "pool/$poolname.md5" db_progress INFO system-integrity-check/progress/info-fetch wgetfile warn "http://$host/pool/$poolname.md5" "/var/cache/system-integrity-check/$pkgname" if [ -f "/var/cache/system-integrity-check/$pkgname" ]; then if validate_md5file "/var/cache/system-integrity-check/$pkgname"; then db_progress STEP 1 # check db_subst system-integrity-check/progress/info-pkg SUBST0 "$pkgname" db_progress INFO system-integrity-check/progress/info-pkg dorealcheck_md5 "/var/cache/system-integrity-check/$pkgname" db_progress STEP 1 else db_subst system-integrity-check/report/md5-check-error SUBST0 "$pkgname" db_metaget system-integrity-check/report/md5-check-error description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "Unable to verify md5sum of /var/cache/system-integrity-check/$pkgname. Skipping." >> "$report" else echo "$RET" >> "$report" fi db_progress STEP 2 fi else db_progress STEP 2 fi else db_subst system-integrity-check/report/grep-error SUBST0 "$pkg" db_subst system-integrity-check/report/grep-error SUBST1 "$ver" db_metaget system-integrity-check/report/grep-error description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "Unable to find information for $pkg in version $ver. Skipping." >> "$report" else echo "$RET" >> "$report" fi db_progress STEP 2 fi done 9> "$report" echo "$pkg: $filename symlink is missing." >> "$report" else echo "$RET" >> "$report" fi elif [ "$symlink" != "$(readlink "${TOPDIR}/$filename")" ]; then db_subst system-integrity-check/report/symlink-change SUBST0 "$pkg" db_subst system-integrity-check/report/symlink-change SUBST1 "$filename" db_metaget system-integrity-check/report/symlink-change description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "$pkg: $filename symlink has been changed." >> "$report" else echo "$RET" >> "$report" fi fi ;; md5:) read md5 <&8 read filename <&8 if [ ! -e "${TOPDIR}/$filename" ]; then db_subst system-integrity-check/report/missing-file SUBST0 "$pkg" db_subst system-integrity-check/report/missing-file SUBST1 "$filename" db_metaget system-integrity-check/report/missing-file description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "$pkg: $filename file is missing." >> "$report" else echo "$RET" >> "$report" fi elif [ "$md5" != "$(md5sum "${TOPDIR}/$filename" | cut -d " " -f 1)" ]; then db_subst system-integrity-check/report/md5-mismatch SUBST0 "$pkg" db_subst system-integrity-check/report/md5-mismatch SUBST1 "$filename" db_metaget system-integrity-check/report/md5-mismatch description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "$pkg $filename md5sum mismatch." >> "$report" else echo "$RET" >> "$report" fi fi ;; *) # unknown case, we just do nothing and keep reading the file. ;; esac done 8<"$1" } system-integrity-check-0.2/lib/system-integrity-check/envinfo0000755000175000000500000000067710351717643023670 0ustar fabbionesrc#!/bin/sh ### This lib is meant to be included by other scripts to set some generic ### vars. host=pkgsum.fabbione.net arch=$(udpkg --print-architecture) ## check TOPDIR if [ -z "${TOPDIR}" ]; then TOPDIR="/target" fi ## determine the Release we are working on if [ -e "${TOPDIR}/etc/lsb-release" ]; then . "${TOPDIR}/etc/lsb-release" fi release=$DISTRIB_CODENAME ## report file target report="/var/log/system-integrity-check-report" system-integrity-check-0.2/lib/system-integrity-check/getpkginfo0000755000175000000500000000322410357416151024344 0ustar fabbionesrc#!/bin/sh ### This lib is supposed to export a set of functions that will print out the ### pkg list, in their versions and a pool path to download the .md5 files. . /lib/system-integrity-check/envinfo # this is the only info on the system we need to rely for now. # later we might implement a print_pkg_list_from_contents. print_pkg_list_from_status() { if [ ! -r ${TOPDIR}/var/lib/dpkg/status ]; then return 1 fi chroot ${TOPDIR} dpkg-query -f'${Status}\n${Package} ${Version}\n' -W > /var/cache/system-integrity-check/pkglist rm -f /var/cache/system-integrity-check/pkglist.tmp while read status <&8; do read line <&8 case "$status" in "install ok installed") echo "$line" >> /var/cache/system-integrity-check/pkglist.tmp ;; *) # hook to handle pkgs that are not in installed state. # deinstall ok config-files seems common. ;; esac done 8/dev/null; then case "$1" in fatal) db_subst system-integrity-check/wget-error HOST "$host" db_subst system-integrity-check/wget-error SUBST0 "$2" db_input critical system-integrity-check/wget-error db_go || true exit 1 ;; warn) db_subst system-integrity-check/report/wget-error SUBST0 "$2" db_metaget system-integrity-check/report/wget-error description || RET='' if [ -z "$RET" ]; then echo "Unable to fetch debconf translation: using plain english." >> "$report" echo "Unable to fetch $2" >> "$report" else echo "$RET" >> "$report" fi ;; esac fi } system-integrity-check-0.2/server/0002755000175000000500000000000010473102015016375 5ustar fabbionesrcsystem-integrity-check-0.2/server/populate-archive0000755000175000000500000000666710473102015021610 0ustar fabbionesrc#!/bin/bash # version 1.1 set -e sourcepool="$1" destpool="$2" #sourcepool="/srv/archive.ubuntu.com/ubuntu/pool" #destpool="/srv/pkgsum.ubuntu.com/www/ubuntu/pool" lock="$destpool/.lock" if [ ! "$sourcepool" ] || [ ! -d "$sourcepool" ] || [ ! "$destpool" ] || [ ! -d "$destpool" ]; then echo "WOOHOOO! gimme arguments or i won't work. kthxbye!" exit 1 fi if [ -e "$lock" ]; then echo "Lock detected. Exit." exit 0 fi touch "$lock" ## validate md5 (based on the client variant in libs/) validate_md5file() { if [ "$(tail -n 1 "$1")" != "$(head -n -1 "$1" | md5sum | awk '{print $1}')" ]; then echo "Cannot validate md5 file $file" return 1 fi } md5calc() { deb="$1" # check if the md5 exists and validate it. If the md5 is not valid, we regenerate it. # we might hit this situation if for some reasons the script has been aborted while # performing some I/O operations. if [ -e "$destpool/$deb.md5" ]; then if validate_md5file "$destpool/$deb.md5"; then return; fi fi echo "Processing: $deb" # create temporary dir and file tempdir=$(mktemp -d) tempfile=$(mktemp) if [ ! -d "$tempdir" ] || [ ! -f "$tempfile" ]; then echo "Unable to create temp dir/file" rm -rf "$tempdir" "$tempfile" exit 1 fi # unpack the deb if ! fakeroot dpkg -x "$deb" "$tempdir"; then echo "Unable to unpack data" rm -rf "$tempdir" "$tempfile" exit 1 fi if ! dpkg -e "$deb" "$tempdir/DEBIAN"; then echo "Unable to unpack metadata" rm -rf "$tempdir" "$tempfile" exit 1 fi # control is the only file that does not land in /var/dpkg/info/$pkgname. # don't process it at all server side, instead of propagating the special # case at client level. rm -f "$tempdir/DEBIAN/control" cd "$tempdir" # make sure we can enter all dirs! find * -type d -exec chmod 755 {} \; # calculate the deb contents md5 for file find * -type f -exec md5sum {} \; | { while read md5 line; do echo -e "md5:\n$md5\n$line"; done } > "$tempfile" # store info about symlinks find * -type l | { while read line ; do echo -e "sym:\n$line" && readlink "$line"; done } >> "$tempfile" cd - 1>/dev/null 2>&1 # change to real path of DEBIAN files pkg="$(basename "$deb" | cut -d "_" -f 1)" sed -i -e 's#DEBIAN/#var/lib/dpkg/info/'$pkg'.#g' "$tempfile" # calculate the md5 of the final file and add it at the end. md5=$(md5sum "$tempfile" | awk '{print $1}') echo "$md5" >> "$tempfile" # get the position in the pool, create the destination dir and move the md5 file. path=$(dirname "$deb") mkdir -p "$destpool/$path" mv $tempfile "$destpool/$deb.md5" chmod 644 "$destpool/$deb.md5" # cleanup leftovers rm -rf "$tempdir" "$tempfile" } # generate the md5sums. cd "$sourcepool" find * -name "*.deb" | { while read line ; do md5calc "$line"; done } cd - 1>/dev/null 2>&1 # clean up old md5 files that don't have a deb in the archive anymore. cd "$destpool" find * -name "*.deb.md5" | \ { while read line; do \ origname=${line%.md5}; \ if [ ! -e "$sourcepool/$origname" ]; then echo "Cleaning: $line" && rm "$line" ; fi \ done } # generate Packages list. This is extremely useful client side. It avoids to trust even # more data. We might want to do more here but it can be done later on. cd "$sourcepool" find * -name "*.deb" | gzip -9 - > "$destpool/../Packages.gz.new" cd "$destpool/../" mv Packages.gz.new Packages.gz md5sum Packages.gz > Packages.gz.md5 rm -f "$lock" exit 0 system-integrity-check-0.2/Makefile0000644000175000000500000000060110357433525016540 0ustar fabbionesrcarch=$(shell dpkg-architecture -qDEB_BUILD_ARCH) all: parser parser: parser.c gcc -O3 -W -Wall -DDEBIANARCH=\"$(arch)\" parser.c -o parser -ldebian-installer parser-local: parser.c gcc -g3 -W -Wall -DDEBIANARCH=\"$(arch)\" -DPACKAGES=\"$(CURDIR)/Packages\" -DPKGLIST=\"$(CURDIR)/pkglist\" -DOUTLIST=\"$(CURDIR)/outlist\" parser.c -o parser -ldebian-installer clean: rm -f parser