Gentoo creates a mountain of metadata-gold while installing packages. From security especially the digests of installed files are interesting. An online integrity check against these can be performed using IMA, the linux kernel facility that records digests of all executed files. This patch assumes IMA is enabled and assumes the existence of a file /var/db/QTEGRITY containing lines of: sha256:<digest> file:/some/file Reproducible: Always
Created attachment 474532 [details, diff] add qtegrity to portage-utils
Created attachment 474678 [details, diff] Fixed description of the flag
Created attachment 475232 [details, diff] Determine IMA digest types No longer assume IMA only publishes sha256 digests but determine the used hash func based on the string prefix.
Created attachment 475294 [details, diff] Allowing adding custom digest With this patch the user can provide a filename, the the utility checks whether the file is accessible and is an executable, then it records its digest to a customization file.
Created attachment 475298 [details, diff] allow adding custom digest (fix recorded filename)
I'm willing to add this to portage-utils, can you please upload the last version of the new file and add a manpage for your applet? I can't test this myself, so I'll have to rely on you here.
Will do
Created attachment 528952 [details] Man page for qtegrity Here's a man page for this applet. Still working on the c file, hoping to find some time for it in the coming days.
Created attachment 530276 [details] New man page, including new flag to only show succesfully matched digests
Created attachment 530278 [details] Complete c file, replacing previous patches Here's the c file. It's changed a bit since the previous patches. I ran it through valgrind and fixed some memory handling. Also I added a flag to optionally show successfully matched digests.
Created attachment 531030 [details] New version, uses pipe-fork-exec and replaces custom digests instead of blindly appending
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=04b4c6834fd83bf0329198c56894bd7dad6f7a6a commit 04b4c6834fd83bf0329198c56894bd7dad6f7a6a Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2018-05-18 10:12:40 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2018-05-18 10:12:40 +0000 qtegrity: new applet by Sam Besselink for use with IMA, bug #619988 Bug: https://bugs.gentoo.org/619988 applets.h | 7 +- man/include/qtegrity-70-relevant-files.include | 9 + man/include/qtegrity-authors.include | 1 + man/include/qtegrity.desc | 8 + man/qtegrity.1 | 81 ++++ qtegrity.c | 509 +++++++++++++++++++++++++ 6 files changed, 614 insertions(+), 1 deletion(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47d5c9788b9550078e17aad238fa03cabe20fd46 commit 47d5c9788b9550078e17aad238fa03cabe20fd46 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2018-05-18 12:27:07 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2018-05-18 12:27:23 +0000 app-portage/portage-utils: version bump to v0.71 Closes: https://bugs.gentoo.org/619988 Closes: https://bugs.gentoo.org/653202 Closes: https://bugs.gentoo.org/652312 Closes: https://bugs.gentoo.org/652720 Closes: https://bugs.gentoo.org/653032 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-portage/portage-utils/Manifest | 2 +- .../{portage-utils-0.65.ebuild => portage-utils-0.71.ebuild} | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-)