3

For reporting and documentation of compliance I like to timestamp and sign the output of certain commands.

In example, if "Checking from terminal if any GUI is installed", I want to document the absence more reliable (annot.: ... than screenshots as usual requested) and in a way that copy and paste over systems is possible, as well storing the result in external documents and or have it printed out.

How could this be achieved in a simple manner?

U880D
  • 1,146
  • I've just realized that an other use case could be in Digital Forensic and when working with read-only mounted file systems or analyzing data sets ... – U880D Jul 18 '23 at 14:56

1 Answers1

3

Following "Digital signature using openssl" and "Using stdout twice" I came up with the following approach of

echo "$(type Xorg 2>&1; date)" | tee /dev/tty | openssl dgst -sha256 -sign operator.priv.key | xxd -p

together with "Converting binary data to hexadecimal in Shell" and resulting into the requested

Output with timestamp and signature

-bash: type: Xorg: not found
Tue Jul 18 10:00:00 CEST 2023
ba97f858f3c62b71b08d26558eeb761214e5ad88f3511debe3b7976e8589
5b630737dce1999d9edf9d96414d88d60f12f5fe934e11d7b75ef7dfc617
2aec44e4baa3ea2eef37e73ee5fdec806dd922b2bbc4b75ec321fb9ac112
5fcd955989ff50f8c17938e42cf3db996f5a9061420842bea360c21b23a7
6faa8c464c7dfb6db1a97d7a57fc539bad0f7116f47741d29d44c0f663fb
c356b46388632303fddf78478e504935a7d8dd2936c4776cb47b2685adc3
ab234f911ca5f9b7dcc449b1158df7aac5c9ba9bad019cd30ef1eb56a76d
bb56ba0127a69e7e1ea07f8a4e6b346e6129e052b10376de14d6192289ba
18fa748e271aa97e3399cb933f1cd5b2

In order to "Preserve line breaks when storing command output to a variable", quotes will be necessary. As well "redirect and append both standard output and standard error" since some commands may report to stderr only.

Just for the record, during research I found two other methods to timestamp commands in CLI, "Prepending a timestamp to each line of output from a command" and "Print current time and date when a command is issued in Linux shell", but haven't test them yet.

Since the above output is quite useless in documentation if there is no way given for how to reverse it, obviously the question will come up

How to validate the output?

In order to validate the output it will be necessary to "Transform hexadecimal information back to binary" via

echo -n '${SIG}' | xxd -r -p > stdout.sig

and validate it later with

openssl dgst -sha256 -verify operator.pub.key -signature stdout.sig stdout

Full Example for Testing

echo "$(type Xorg 2>&1; echo 'Tue Jul 18 10:00:00 CEST 2023')" | tee stdout | tee /dev/tty | openssl dgst -sha256 -sign operator.priv.key | tee stdout.sig | xxd -p
-bash: type: Xorg: not found
Tue Jul 18 10:00:00 CEST 2023
ba97f858f3c62b71b08d26558eeb761214e5ad88f3511debe3b7976e8589
...
18fa748e271aa97e3399cb933f1cd5b2
openssl dgst -sha256 -verify operator.pub.key -signature stdout.sig stdout
Verified OK

And as it will help for validating the stdout output and the signature file, "How do I compare binary files in Linux?"

U880D
  • 1,146