Heh, for some reason I thought this was on the local linux users group
instead of ubuntu-devel. Hence the more generic language.
Anyway feel free to take the other two points as possible products. My
prototypes have been shell commands followed by simple java apps that did
the same work. In both cases they directly read the files in
/var/lib/dpkg/info or, in a few cases, the naked .deb files. They were
always intended as proof-of-concept demos, not something suitable for
distribution.
The two specific tasks that came up a lot are:
1. List all files under { /bin, /sbin, /usr, /lib, /etc and parts of /var }
that:
a) are present but not in a package as either a regular file or a
conffile,
b) are present but have a different md5sum than the package, or
c) are in an installed package but not present.
This can return a simple list of files that can be used as input to other
applications.
An extension is to check the permissions, e.g., by looking into the .deb
file itself and examining the data.tar.gz file. There's also always the
standby
$ find / -perm +1000 -ls
$ find / -perm +2000 -ls
to find suid/sgid files in the system. Simply knowing what files should have
these permissions would be helpful.
You can do a quick MD5 sanity check with
$ cat /var/lib/dpkg/info/*.md5sums | sort | uniq >/tmp/md5sums
$ md5sum -c /tmp/md5sums
2. Create a local package containing modified conffiles.
You can get a list of conffiles from
$ cat /var/lib/dpkg/info/*.conffiles | sort | uniq >/tmp/conffiles
and convert that to a list of md5 files with a join with a bit of work.
(conffiles have a leading slash on the path, md5sums do not). Then it would
be a simple matter of creating a tarball of the modified files and wrapping
it up so that you can perform all of your customization by installing a
single package.
3. Not related to the original question but I've also wondered about a
hardening package that installs a cron task that's package-aware. That is, I
(should) be regularly performing tasks like:
$ find { everything but /dev } -type b -ls
$ find { everything but /dev } -type c -ls
That is, looking for character or block devices that are anywhere but under
/dev. That's never a good thing.
$ find /home -uid -1000
That is, looking for any system files under /home. Again this is never a
good thing.
There's a dozen or so checks that can be done but in some cases there will
be expected hits, depending upon the actual packages installed. It should be
possible to customize this task so it knows what to ignore and what to flag
as a problem.
Bear
On Fri, Oct 7, 2011 at 2:35 AM, Michael Vogt <m...@ubuntu.com> wrote:
> On Thu, Oct 06, 2011 at 05:15:14PM -0600, Bear Giles wrote:
> > I've written a few prototypes and this comes down to four issues. Some of
> > the details below are debian/ubuntu-specific but the same concepts will
> > apply to redhat.
> [..]
> > 2. Packages should NOT be backed up. All you need is the package name and
> > version. Reinstall from .deb and .rpm if necessary since this way you're
> > sure that you never restore compromised files.
>
> You may want to look at the apt-clone package for this part of the
> work, it supports creating/restoring this meta-data.
>
> Cheers,
> Michael
>
>
> > On Fri, Sep 30, 2011 at 12:01 AM, Gaurav Saxena <grvsaxena...@gmail.com
> >wrote:
> >
> > > Hello Aaron
> > > Thanks a lot for your quick reply.
> > >
> > > On Fri, Sep 30, 2011 at 10:03 AM, Aaron C. de Bruyn <
> aa...@heyaaron.com>wrote:
> > >
> > >> In Windows, the ability to snapshot is built into the filesystem.
> > >> In Linux, you must be running a filesystem that supports snapshots. I
> > >> know LVM supports snapshotting and I believe BRTFS has support, but
> > >> other than that I'm not sure.
> > >>
> > >> Yes I read the logic behind windows system restore. But I think we can
> > > take some other approach for this, that will be better as all users
> won't be
> > > able to spare an extra partition formatted brtfs.
> > >
> > >
> > >> Basically, your program would have to check the file system that is
> > >> used on the computer (remember Linux can have many types of file
> > >> systems mounted at the same time), then (in the case of LVM) make sure
> > >> there's enough free space to snapshot, and finally take the snapshot.
> > >>
> > >> Ok. Do I have to snapshot the whole system partition / important
> system
> > > files to the brtfs partition ?
> > >
> > >
> > >> When the snapshots start filling up, you would either need to delete
> > >> them or detect the low space and resize them.
> > >>
> > >> In my personal opinion, snapshotting in Linux is currently a pain in
> > >> the rear. It sounds like BTRFS could change that, but it's still a
> > >> ways off.
> > >>
> > >> Ok. I will try another approach that will be better as suggested by
> > > people here.
> > >
> > >
> > >> -A
> > >>
> > >>
> > >> On Thu, Sep 29, 2011 at 21:00, Gaurav Saxena <grvsaxena...@gmail.com>
> > >> wrote:
> > >> > Hello all,
> > >> > I want to write a windows system restore like program for ubuntu ,
> which
> > >> > will have options for creating restore points for the system and
> then
> > >> > restoring it back to that point. Also I will as an extension provide
> > >> support
> > >> > for older version of a file as is in windows currently. I need your
> help
> > >> to
> > >> > find how to start with this in ubuntu. I know that I have to
> snapshot
> > >> the
> > >> > system when creating a restore point and then restore it. I need
> some
> > >> > starting pointers so that I can start doing this work. Also if this
> has
> > >> > already been done please inform me. I got this idea from
> > >> > https://wiki.ubuntu.com/SystemRestore.
> > >> > --
> > >> > Thanks and Regards ,
> > >> > Gaurav
> > >> >
> > >> > --
> > >> > Ubuntu-devel-discuss mailing list
> > >> > Ubuntu-devel-discuss@lists.ubuntu.com
> > >> > Modify settings or unsubscribe at:
> > >> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
> > >> >
> > >> >
> > >>
> > >
> > >
> > >
> > > --
> > > Thanks and Regards ,
> > > Gaurav
> > >
> > >
> > >
> > > --
> > > Thanks and Regards ,
> > > Gaurav
> > >
> > > --
> > > Ubuntu-devel-discuss mailing list
> > > Ubuntu-devel-discuss@lists.ubuntu.com
> > > Modify settings or unsubscribe at:
> > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
> > >
> > >
>
> > --
> > Ubuntu-devel-discuss mailing list
> > Ubuntu-devel-discuss@lists.ubuntu.com
> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
