LSMS/scripts/verify_deb_packages.py
2022-01-05 20:16:57 +01:00

81 lines
1.9 KiB
Python
Executable file

#!/usr/bin/env python3
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: https://h4des.org
# github: https://github.com/sqall01
#
# Licensed under the MIT License.
"""
Short summary:
Use `debsums` to verify the integrity of installed deb packages using /var/lib/dpkg/info/*.md5sums.
Requirements:
`debsums` installed on system
Reference:
https://www.sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/
"""
import os
from typing import List
from lib.util import output_finding
# Read configuration.
try:
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
from config.verify_deb_packages import ACTIVATED, DEBSUMS_EXE, FILE_WHITELIST
except:
ALERTR_FIFO = None
FROM_ADDR = None
TO_ADDR = None
DEBSUMS_EXE = "debsums"
FILE_WHITELIST = []
ACTIVATED = True
def _process_whitelist(changed_files: List[str]) -> List[str]:
if not FILE_WHITELIST:
return changed_files
new_changed_files = []
for changed_file in changed_files:
if changed_file in FILE_WHITELIST:
continue
new_changed_files.append(changed_file)
return new_changed_files
def verify_deb_packages():
# Decide where to output results.
print_output = False
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
print_output = True
if not ACTIVATED:
if print_output:
print("Module deactivated.")
return
fd = os.popen("%s -c" % DEBSUMS_EXE)
output_raw = fd.read().strip()
fd.close()
if output_raw != "":
changed_files = output_raw.split("\n")
changed_files = _process_whitelist(changed_files)
if changed_files:
message = "Changed deb package files found.\n\n"
message += "\n".join(["File: %s" % x for x in changed_files])
output_finding(__file__, message)
if __name__ == '__main__':
verify_deb_packages()