checkroot

trusted root file system verification for openSUSE

      When using checkroot first make sure that your rpm is not compromised at best by booting from a CD. If you just wanna test it you may run it directly. Nonetheless you will need your install DVD to initially retrieve the primary gpg-pubkeys and to verify core packages for which the signature has been deemed invalid. If you do not have a second CD-ROM drive you will either need to remove your boot DVD or mount -o loop a disk image of your dvd which should be md5sumed first. This is necessary since many packages in the oss and non-oss online repos are only available in a different version/release flavour. Besides this the keys could primarily be downloaded as well so that you may suffice without the install-DVD for future releases as long as all signatures are valid. If this tool should attain interest it shall be included in the rescue console of the install DVD so that this problem no longer occurs

      Before you go ahead in rebooting from a clean system make sure that your system is properly updated by running  ’zypper up’. This will be especially important for external repos like Packman or libdvdcss since these repos do not distribute patches but simply replace packages by newer versions of them. If it should be necessary to re-download a package header because its signature could not be verified the newest version needs to be already installed. Unfortunately libzypp still seems to have some bugs in the way that it sometimes does not recognize the availability of upgrades (Bug 520148). Nonetheless  zypper up  does actually more than the openSUSE-updater gui panel applet.

      This tool is based on rpm --verify. The output is roughly the same as for  rpm --verify -a  just that it is by default written to a file called verrified.annot and that file verification lines are annotated by the package they stem from. Addtionally the second column is a - rather than being left out for average files (special files: c-config, d-doku, g-auto created ghost file that is not intially unpacked) which makes parsing and querying of the output easier. rpm -Va lists a lot of files since just a change in the time stamp (T) can cause a file being listed. Interesting are those files whose content has changed (S-size, 5-md5sum, L-link, D-Device node). These files arther testing; espere put into verified-interesting.annot. If any changes to special core files usually altered by a rootkit have been detected the verification stamps of these files can be found in verified-rootkit.annot (All candidate files for this can be found in rootkit.files at first).

      As soon as you have booted make sure that your install DVD is mounted. Unpack checkroot.tar.gz into a directory on path or in any other directory of your choice (only precondition: all files need to reside in the same dir). Change to an empty directory for the described output files to reside. Make sure you have fully mounted the root partition with write permission (as well as /usr /boot and /var if you should have them separately). Write access is needed to refresh the public gpg-keys/fingerprints (unless you use -n). Run  ’checkroot rootdir’  as root (or checkroot --help/ head -20 checkroot first). You may want to use the -d option if you wanna trust package headers signed with DSA (a crackable encryption algorithm). After checkroot has finished you may want to run  checkroot --restoregpgkeys rootdir  to keep the old gpg-keys rather than the set of newly fetched gpg-keys. Note that the newly fetched keys contain also keys for repos that have already been deleted because packages from these repos may still be installed.