0

From the question How to verify that package-installed files match originals? I understand that you can run the following command for a package:

dpkg -V <package>

The reason why I am carrying out this audit is, however, because I somehow suspect that the system could be compromised.

If the attacker has managed to subvert <package>, he could also have managed to subvert the dpkg audit command itself. Therefore, I cannot trust the self-referential audit:

dpkg -V dpkg

Therefore, I want to run the self-audit of the dpkg command from another system.

So, I mount the disk of this computer as folder /mnt/audit in my second computer, which I still trust. Now, I want to audit the installation foot print of dpkg in /mnt/audit from this second computer. What command do execute on my second computer? Is there an option that allows me to do something similar to the following:

dpkg -V dpkg --remote-target /mnt/audit

Once I trust the self-audit of dpkg, I should be able to trust its output for <package> as well.

erik
  • 1

1 Answers1

2

As a general rule, if you suspect that your system has been compromised, you should re-install it. See Process with weird random name consuming significant network and CPU resources. Is someone hacking me? for some useful pointers.

dpkg -V is useful to detect accidental corruption. It relies on local metadata (.md5sum files in /var/lib/dpkg/info), so on a compromised system, there’s no guarantee that this metadata is still accurate. If you want to verify your system externally, you could download all the corresponding packages and check the sums the system you’re checking against those of the packages, or even re-install all the packages; but that would still leave you exposed — in particular, package metadata doesn’t cover the boot loader and the initramfs.

To address your actual question, dpkg can be run against user-specified directories; for example, to check /mnt/audit while assuming that its contents are mostly trustworthy, run

dpkg --root=/mnt/audit -V dpkg

The administrative and installation directories can be distinguished, so if your auditing system has the same package versions as the audited system, you could run

dpkg --instdir=/mnt/audit -V dpkg

to verify the audited system’s dpkg using the auditing system’s metadata.

Stephen Kitt
  • 434,908