elf-binary-validation-dpkg.sh

gistfile1.txt

#!/bin/bash
BASENAME=`basename $0`
TMPFILE="/tmp/$BASENAME-lib.tmp"
echo "$BASENAME: Validate target binary and its libraries checksum"
TARGET_BINARY=$1
PACKAGES_FOUND="`apt-file search --fixed-string ${TARGET_BINARY}`"
if [ -z "${PACKAGES_FOUND}" ]; then
  echo "No package found for ${TARGET_BINARY}."
  exit 1
fi
echo "$PACKAGES_FOUND" > $TMPFILE

# There might be more than one packages having same filespec
# so we have to loop on

PKGS_FOUND=
SUM_PKGS_CNT=0
SUM_PKGS_WARN=0
SUM_PKGS_ERR_NOT_FOUND=0
SUM_PKGS_ERR_HASH=0
while read pkg_name filespec; do
  THIS_PKG="`echo $pkg_name | cut -d':' -f1`"
  ((SUM_PKGS_CNT++))
  echo -n "Trying $THIS_PKG package..."
  debsums --no-prelink -s ${THIS_PKG} >/dev/null 2>&1
  RETSTS=$?
  if [ ${RETSTS} -ne 0 ]; then
    ((SUM_PKGS_WARN++))
    if [ ${RETSTS} -eq 1 ]; then
      echo "WARN: Debian package invalid/not installed."
      ((SUM_PKGS_ERR_NOT_FOUND++))
    fi
    if [ ${RETSTS} -eq 2 ]; then
      echo "WARN: Debian package checksum error."
      ((SUM_PKGS_ERR_HASH++))
    fi
  else
    PKGS_FOUND="$PKGS_FOUND $THIS_PKG"
    echo "OK"
  fi
done < $TMPFILE
if [ $SUM_PKGS_CNT -eq 0 ]; then
  echo "No package found for $TARGET_BINARY."
fi
if [ $SUM_PKGS_CNT -gt 0 ]; then
  if [ $SUM_PKGS_CNT -eq $SUM_PKGS_WARN ]; then
    echo "Multiple package scanned; not found for $TARGET_BINARY"
    exit 255
  fi
  if [ $SUM_PKGS_CNT -ne $SUM_PKGS_WARN ]; then
    echo "At least one package found for $TARGET_BINARY: $PKGS_FOUND"
  fi
fi

echo "Verifying $TARGET_BINARY binary and libraries..."
echo "List of libraries and its associated Debian package:"
LIBRARIES_USED="`ldd ${TARGET_BINARY}`"
echo "$LIBRARIES_USED" > $TMPFILE

# Iterate on each library
SUM_LIB_CNT=0
SUM_LIB_ERR=0
SUM_LIB_ERR_NOT_FOUND=0
LIB_PKGS_FOUND=""
LIBS_LIST=""
export LIB_PKGS_FOUND LIBS_LIST
while read filename foperator filespec var4 var5; do
  ((SUM_LIB_CNT++))
  echo -ne "  ${filename}:\t\t"
  if [ "$foperator" == "=>" ]; then
    # library package check
    APT_FILE_RESULT="`apt-file search --fixed-string ${filespec}`"
    RETSTS=$?
    if [ ${RETSTS} -ne 0 ]; then
      ((SUM_LIB_ERR++))
      ((SUM_LIB_ERR_NOT_FOUND++))
      echo "not found in any Debian package."
    else
      LIB_PKG_FOUND="`echo ${APT_FILE_RESULT} | cut -d':' -f1`"
      LIB_PKGS_FOUND="${LIB_PKGS_FOUND} ${LIB_PKG_FOUND}"
      echo "${LIB_PKG_FOUND}"
    fi
  else
    # ldlinux check
    LIB_PKG_FOUND="libc6"
    LIB_PKGS_FOUND="${LIB_PKGS_FOUND} ${LIB_PKG_FOUND}"
    echo "${LIB_PKG_FOUND}"
  fi
done < $TMPFILE
rm $TMPFILE
LIBS_LIST="$LIB_PKGS_FOUND"

# Remove duplicate libraries (to save time checking on each)
LIB_PKGS_FOUND="`echo ${LIBS_LIST} | xargs -n1 | sort -u | xargs`"
echo "Checking packages:"
    
SUM_PKG_CNT=0
SUM_PKG_ERR=0
SUM_PKG_ERR_NOT_FOUND=0
SUM_PKG_ERR_HASH=0
for THIS_PKG in ${LIB_PKGS_FOUND}; do
  ((SUM_PKG_CNT++))
  echo -ne "  Package: ${THIS_PKG}:\t"
  debsums --no-prelink -s ${THIS_PKG} >/dev/null 2>&1
  RETSTS=$?
  if [ ${RETSTS} -ne 0 ]; then
    ((SUM_PKG_ERR++))
    if [ ${RETSTS} -eq 1 ]; then
      echo "ERROR: Debian package invalid/not installed."
      ((SUM_PKG_ERR_NOT_FOUND++))
    fi
    if [ ${RETSTS} -eq 2 ]; then
      echo "ERROR: Debian package checksum failed."
      ((SUM_PKG_ERR_HASH++))
    fi
  else
    echo "OK"
  fi
done

echo "           DuplicatePkgs Packages  Libraries"
echo "checked:           $SUM_PKGS_CNT        $SUM_PKG_CNT        $SUM_LIB_CNT"
echo "warnings:          $SUM_PKGS_WARN"
echo "errors:                     $SUM_PKG_ERR        $SUM_LIB_ERR"
echo "hash errors:       $SUM_PKGS_ERR_HASH        $SUM_PKG_ERR_HASH"
echo "missing/invalid:   $SUM_PKGS_ERR_NOT_FOUND        $SUM_PKG_ERR_NOT_FOUND        $SUM_LIB_ERR_NOT_FOUND" 

if [ $SUM_PKG_ERR -gt 0 ]; then
  echo "Errors found."
else
  echo "No error; OK."
fi
# pass exit code to caller without using exit command
# (in case this script got source'd)
(exit $SUM_LIB_ERR)

Example output

$ elf-verify-hash.sh /usr/sbin/sshd
elf-verify-hash.sh: Validate target binary and its libraries checksum
Trying openssh-server package...OK
At least one package found for /usr/sbin/sshd:  openssh-server
Verifying /usr/sbin/sshd binary and libraries...
List of libraries and its associated Debian package:
  linux-vdso.so.1:		libc6
  libwrap.so.0:		libwrap0
  libaudit.so.1:		libaudit1
  libpam.so.0:		libpam0g
  libselinux.so.1:		libselinux1
  libsystemd.so.0:		libsystemd0
  libcrypto.so.1.0.2:		libssl1.0.2
  libutil.so.1:		libc6
  libz.so.1:		zlib1g
  libcrypt.so.1:		libc6
  libgssapi_krb5.so.2:		libgssapi-krb5-2
  libkrb5.so.3:		libkrb5-3
  libcom_err.so.2:		libcomerr2
  libc.so.6:		libc6
  libnsl.so.1:		libc6
  libcap-ng.so.0:		libcap-ng0
  libdl.so.2:		libc6
  libpcre.so.3:		libpcre3
  /lib64/ld-linux-x86-64.so.2:		libc6
  librt.so.1:		libc6
  liblzma.so.5:		liblzma5
  liblz4.so.1:		liblz4-1
  libgcrypt.so.20:		libgcrypt20
  libpthread.so.0:		libc6
  libk5crypto.so.3:		libk5crypto3
  libkrb5support.so.0:		libkrb5support0
  libkeyutils.so.1:		libkeyutils1
  libresolv.so.2:		libc6
  libgpg-error.so.0:		libgpg-error0
Checking packages:
  Package: libaudit1:	OK
  Package: libc6:	OK
  Package: libcap-ng0:	OK
  Package: libcomerr2:	OK
  Package: libgcrypt20:	OK
  Package: libgpg-error0:	OK
  Package: libgssapi-krb5-2:	OK
  Package: libk5crypto3:	OK
  Package: libkeyutils1:	OK
  Package: libkrb5-3:	OK
  Package: libkrb5support0:	OK
  Package: liblz4-1:	OK
  Package: liblzma5:	OK
  Package: libpam0g:	OK
  Package: libpcre3:	OK
  Package: libselinux1:	OK
  Package: libssl1.0.2:	OK
  Package: libsystemd0:	OK
  Package: libwrap0:	OK
  Package: zlib1g:	OK
           DuplicatePkgs Packages  Libraries
checked:           1        20        29
warnings:          0
errors:                     0        0
hash errors:       0        0
missing/invalid:   0        0        0
No error; OK.