Lib.rs

Command line utilities
#arch-linux #forensics #compare #packages #read #source #installed

app archlinux-userland-fs-cmp

Forensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source

by kpcyrd

1 unstable release

0.1.0 Jan 31, 2024

#990 in Command line utilities

GPL-3.0-or-later

50KB
895 lines

archlinux-userland-fs-cmp

Forensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source. This utilizes https://archive.archlinux.org, all files not coming from one of those packages are flagged for investigation.

asciicast

Features

  • Not the entire package is fetched from the archive, as soon as the .MTREE has been received the download is aborted. This currently relies on https for security (which is considered acceptable for what it's written for), but for added security could be pointed to an ipfs folder (that has been calculated/authenticated ahead of time).
  • The mounted filesystem is hashed with a thread pool.
  • The scan needs CAP_DAC_READ_SEARCH which usually requires root, but before accessing the mounted filesystem all unneeded kernel capabilities are removed (like CAP_SYS_ADMIN, CAP_SETUID, CAP_DAC_OVERRIDE, ...) and the process is then blocked from re-acquiring them.
  • The mounted filesystem is considered untrusted and may contain malicious changes, parsers are written in memory-safe languages and files are only read, but never executed.
  • The investigating live medium can be any Linux, like Debian or NixOS.

Usage

archlinux-userland-fs-cmp /mnt -x /home -o ~/report.txt

This expects an Arch Linux install to be mounted on /mnt and is going to exclude /mnt/home from the scan.

Testing for development

For development, you may find this command useful:

cargo watch -- cargo run --release -- / -x /home -x /dev -x /proc -x /sys -x /run -x /var/cache -x /var/tmp # -x /var/lib/archbuild -x /nix -x /var/lib/repro ...

To scan a smaller system with shorter output, try:

podman run -it --rm -v "$PWD/target/x86_64-unknown-linux-musl/release/archlinux-userland-fs-cmp:/cmp:ro" archlinux /cmp / -x /sys -x /proc -x /dev -x /var/lib/pacman/local -x /etc/ca-certificates/extracted

Why not paccheck?

pacman can do it's own integrity checks using:

paccheck --sha256sum --quiet

However, the Arch Linux wiki states:

Note: This should not be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.

archlinux-userland-fs-cmp implements this accordingly (use from a live medium is still advised of course).

Dependencies

~16–32MB
~513K SLoC