Re: kernel.org status: hints on how to check your machine forintrusion
From: Jean Delvare
Date: Tue Oct 18 2011 - 11:14:02 EST
Hi Greg,
Yes I know I'm late, sorry about that.
On Fri, 30 Sep 2011 16:59:24 -0700, Greg KH wrote:
> b. Strange directories in /usr/share that do not belong to a package.
> This can be checked on an rpm system with the following bash snippet:
> for file in `find /usr/share/`; do
> package=`rpm -qf -- ${file} | grep "is not owned"`
> if [ -n "$package" ] ; then
> echo "weird file ${file}, please check this out"
> fi
> done
FWIW, the above doesn't work in the general case. For one thing it
fails for files which have a space in their name. But a bigger problem
is that rpm is localized so for any user running a non-English locale,
the grep "is not owned" will not catch anything (in addition to being
slow.) Better just check the value returned by rpm:
find /usr/share -print0 \
| while read -d $'\0' -r file
do
if ! rpm -qf --quiet -- "${file}" ; then
if [ -L "${file}" ] ; then
type=link
elif [ -d "${file}" ] ; then
type=directory
else
type=file
fi
echo "Weird ${type} ${file}, please check this out"
fi
done
Even with this, I'm not convinced, due to the high number of false
positives (generated cache files, directories not explicitly packaged,
etc...) it is hard to make sense of the output. We'd need to fix all
the packages first so that only actual changes are returned by the
script.
I'm also unsure why /usr/share would be a better target than any other
system directory.
--
Jean Delvare
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/