Skip to content

Instantly share code, notes, and snippets.

@egberts
Created December 13, 2018 22:08
Show Gist options
  • Save egberts/d08dc28e4c5db84728056de2ffa381ff to your computer and use it in GitHub Desktop.
Save egberts/d08dc28e4c5db84728056de2ffa381ff to your computer and use it in GitHub Desktop.
elf-binary-validation-dpkg.sh
#!/bin/bash
BASENAME=`basename $0`
TMPFILE="/tmp/$BASENAME-lib.tmp"
echo "$BASENAME: Validate target binary and its libraries checksum"
TARGET_BINARY=$1
PACKAGES_FOUND="`apt-file search --fixed-string ${TARGET_BINARY}`"
if [ -z "${PACKAGES_FOUND}" ]; then
echo "No package found for ${TARGET_BINARY}."
exit 1
fi
echo "$PACKAGES_FOUND" > $TMPFILE
# There might be more than one packages having same filespec
# so we have to loop on
PKGS_FOUND=
SUM_PKGS_CNT=0
SUM_PKGS_WARN=0
SUM_PKGS_ERR_NOT_FOUND=0
SUM_PKGS_ERR_HASH=0
while read pkg_name filespec; do
THIS_PKG="`echo $pkg_name | cut -d':' -f1`"
((SUM_PKGS_CNT++))
echo -n "Trying $THIS_PKG package..."
debsums --no-prelink -s ${THIS_PKG} >/dev/null 2>&1
RETSTS=$?
if [ ${RETSTS} -ne 0 ]; then
((SUM_PKGS_WARN++))
if [ ${RETSTS} -eq 1 ]; then
echo "WARN: Debian package invalid/not installed."
((SUM_PKGS_ERR_NOT_FOUND++))
fi
if [ ${RETSTS} -eq 2 ]; then
echo "WARN: Debian package checksum error."
((SUM_PKGS_ERR_HASH++))
fi
else
PKGS_FOUND="$PKGS_FOUND $THIS_PKG"
echo "OK"
fi
done < $TMPFILE
if [ $SUM_PKGS_CNT -eq 0 ]; then
echo "No package found for $TARGET_BINARY."
fi
if [ $SUM_PKGS_CNT -gt 0 ]; then
if [ $SUM_PKGS_CNT -eq $SUM_PKGS_WARN ]; then
echo "Multiple package scanned; not found for $TARGET_BINARY"
exit 255
fi
if [ $SUM_PKGS_CNT -ne $SUM_PKGS_WARN ]; then
echo "At least one package found for $TARGET_BINARY: $PKGS_FOUND"
fi
fi
echo "Verifying $TARGET_BINARY binary and libraries..."
echo "List of libraries and its associated Debian package:"
LIBRARIES_USED="`ldd ${TARGET_BINARY}`"
echo "$LIBRARIES_USED" > $TMPFILE
# Iterate on each library
SUM_LIB_CNT=0
SUM_LIB_ERR=0
SUM_LIB_ERR_NOT_FOUND=0
LIB_PKGS_FOUND=""
LIBS_LIST=""
export LIB_PKGS_FOUND LIBS_LIST
while read filename foperator filespec var4 var5; do
((SUM_LIB_CNT++))
echo -ne " ${filename}:\t\t"
if [ "$foperator" == "=>" ]; then
# library package check
APT_FILE_RESULT="`apt-file search --fixed-string ${filespec}`"
RETSTS=$?
if [ ${RETSTS} -ne 0 ]; then
((SUM_LIB_ERR++))
((SUM_LIB_ERR_NOT_FOUND++))
echo "not found in any Debian package."
else
LIB_PKG_FOUND="`echo ${APT_FILE_RESULT} | cut -d':' -f1`"
LIB_PKGS_FOUND="${LIB_PKGS_FOUND} ${LIB_PKG_FOUND}"
echo "${LIB_PKG_FOUND}"
fi
else
# ldlinux check
LIB_PKG_FOUND="libc6"
LIB_PKGS_FOUND="${LIB_PKGS_FOUND} ${LIB_PKG_FOUND}"
echo "${LIB_PKG_FOUND}"
fi
done < $TMPFILE
rm $TMPFILE
LIBS_LIST="$LIB_PKGS_FOUND"
# Remove duplicate libraries (to save time checking on each)
LIB_PKGS_FOUND="`echo ${LIBS_LIST} | xargs -n1 | sort -u | xargs`"
echo "Checking packages:"
SUM_PKG_CNT=0
SUM_PKG_ERR=0
SUM_PKG_ERR_NOT_FOUND=0
SUM_PKG_ERR_HASH=0
for THIS_PKG in ${LIB_PKGS_FOUND}; do
((SUM_PKG_CNT++))
echo -ne " Package: ${THIS_PKG}:\t"
debsums --no-prelink -s ${THIS_PKG} >/dev/null 2>&1
RETSTS=$?
if [ ${RETSTS} -ne 0 ]; then
((SUM_PKG_ERR++))
if [ ${RETSTS} -eq 1 ]; then
echo "ERROR: Debian package invalid/not installed."
((SUM_PKG_ERR_NOT_FOUND++))
fi
if [ ${RETSTS} -eq 2 ]; then
echo "ERROR: Debian package checksum failed."
((SUM_PKG_ERR_HASH++))
fi
else
echo "OK"
fi
done
echo " DuplicatePkgs Packages Libraries"
echo "checked: $SUM_PKGS_CNT $SUM_PKG_CNT $SUM_LIB_CNT"
echo "warnings: $SUM_PKGS_WARN"
echo "errors: $SUM_PKG_ERR $SUM_LIB_ERR"
echo "hash errors: $SUM_PKGS_ERR_HASH $SUM_PKG_ERR_HASH"
echo "missing/invalid: $SUM_PKGS_ERR_NOT_FOUND $SUM_PKG_ERR_NOT_FOUND $SUM_LIB_ERR_NOT_FOUND"
if [ $SUM_PKG_ERR -gt 0 ]; then
echo "Errors found."
else
echo "No error; OK."
fi
# pass exit code to caller without using exit command
# (in case this script got source'd)
(exit $SUM_LIB_ERR)
@egberts
Copy link
Author

egberts commented Dec 13, 2018

Example output

$ elf-verify-hash.sh /usr/sbin/sshd
elf-verify-hash.sh: Validate target binary and its libraries checksum
Trying openssh-server package...OK
At least one package found for /usr/sbin/sshd:  openssh-server
Verifying /usr/sbin/sshd binary and libraries...
List of libraries and its associated Debian package:
  linux-vdso.so.1:		libc6
  libwrap.so.0:		libwrap0
  libaudit.so.1:		libaudit1
  libpam.so.0:		libpam0g
  libselinux.so.1:		libselinux1
  libsystemd.so.0:		libsystemd0
  libcrypto.so.1.0.2:		libssl1.0.2
  libutil.so.1:		libc6
  libz.so.1:		zlib1g
  libcrypt.so.1:		libc6
  libgssapi_krb5.so.2:		libgssapi-krb5-2
  libkrb5.so.3:		libkrb5-3
  libcom_err.so.2:		libcomerr2
  libc.so.6:		libc6
  libnsl.so.1:		libc6
  libcap-ng.so.0:		libcap-ng0
  libdl.so.2:		libc6
  libpcre.so.3:		libpcre3
  /lib64/ld-linux-x86-64.so.2:		libc6
  librt.so.1:		libc6
  liblzma.so.5:		liblzma5
  liblz4.so.1:		liblz4-1
  libgcrypt.so.20:		libgcrypt20
  libpthread.so.0:		libc6
  libk5crypto.so.3:		libk5crypto3
  libkrb5support.so.0:		libkrb5support0
  libkeyutils.so.1:		libkeyutils1
  libresolv.so.2:		libc6
  libgpg-error.so.0:		libgpg-error0
Checking packages:
  Package: libaudit1:	OK
  Package: libc6:	OK
  Package: libcap-ng0:	OK
  Package: libcomerr2:	OK
  Package: libgcrypt20:	OK
  Package: libgpg-error0:	OK
  Package: libgssapi-krb5-2:	OK
  Package: libk5crypto3:	OK
  Package: libkeyutils1:	OK
  Package: libkrb5-3:	OK
  Package: libkrb5support0:	OK
  Package: liblz4-1:	OK
  Package: liblzma5:	OK
  Package: libpam0g:	OK
  Package: libpcre3:	OK
  Package: libselinux1:	OK
  Package: libssl1.0.2:	OK
  Package: libsystemd0:	OK
  Package: libwrap0:	OK
  Package: zlib1g:	OK
           DuplicatePkgs Packages  Libraries
checked:           1        20        29
warnings:          0
errors:                     0        0
hash errors:       0        0
missing/invalid:   0        0        0
No error; OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment