| LeRoy Cressy via plug on 28 Dec 2022 08:55:08 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Possible Break in on Arch Linux Systems: |
On 12/27/22 15:09, Keith C. Perry via plug wrote:
> I was just about to make a similar comment. I'm very rarely in my Arch
> partition and invariable I have to do keyring upgrades (and maybe some
> things I can't remember right now) before even pacman -Syy will work.
>
> Always good to be skeptical but I think for Arch this is normal fare.
>
>
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> Keith C. Perry, MS E.E.
> Managing Member, DAO Technologies LLC
> (O) +1.215.525.4165 x2033
> (M) +1.215.432.5167
> www.daotechnologies.com <http://www.daotechnologies.com/>
>
> ------------------------------------------------------------------------
> *From: *"Philadelphia Linux User's Group Discussion List"
> <plug@lists.phillylinux.org>
> *To: *"Philadelphia Linux User's Group Discussion List"
> <plug@lists.phillylinux.org>
> *Sent: *Tuesday, December 27, 2022 3:05:12 PM
> *Subject: *Re: [PLUG] Possible Break in on Arch Linux Systems:
>
> On Tue, Dec 27, 2022, 14:27 Michael Lazin via plug
> <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:
>
> That is the gpg key for your package manager. I don't think that
> should change. Try installing rkhunter and running "rkhunter
> --scan" as root. It will tell you if other files may have been
> modified.
>
> Thanks,
>
> Michael
>
>
>
> Let's not make assumptions and jump to potential compromise unless we're
> familiar with the respective distro's internals.
>
>
> On Tue, Dec 27, 2022, 1:44 PM LeRoy Cressy via plug
> <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:
>
> I do a daily backup which checks for any changes in /etc and other
> directories that should not change unless you have done a
> backup. On
> Christmas Day someone or something changed the following files:
>
> /etc/pacman.d/gnupg/pubring.gpg
> /etc/pacman.d/gnupg/pubring.gpg~
> /etc/pacman.d/gnupg/pubring.gpg.tmp
> /etc/pacman.d/gnupg/trustdb.gpg
>
> I rebuilt my repositories with pacman -Syy
> I reinstalled archlinux-keyring
>
> I am familiar with the shenanigans of cups changing their /etc
> files
> daily, but this is a first for me.
>
> I'm posting this as a warning of a possible break-in on Arch Linux
> systems.
>
>
> LeRoy, this is normal and expected. I'm guessing you haven't done a full
> system update in a while?
>
> $ systemctl cat archlinux-keyring-wkd-sync.timer
> # /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
> [Unit]
> Description=Refresh existing PGP keys of archlinux-keyring regularly
>
> [Timer]
> OnCalendar=weekly
> Persistent=true
> RandomizedDelaySec=1week
>
> [Install]
> WantedBy=timers.target
>
> It is part of Arch Linux system internals (the /archlinux-keyring/
> package itself).
>
> $ pacman -Ql archlinux-keyring | grep -E '\.timer'
> archlinux-keyring
> /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer
> archlinux-keyring
> /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer
>
I want to thank all of you who have responded. I do full system
upgrades on a weekly basis and in the past I had to manually reinstall
archlinux-keyring or I downloaded the key that was giving me problems
with gnupg and manually added the key to the keyring using pacman-key.
I did not know about the internals about the timer.
There have been comments about checking for any changed files on my
system. As part of my backup script I have an old function which I
wrote back in the 1990's which scrolls through directories an sub
directories. I have attached my backup script which I run every morning.
--
Rev. LeRoy D. Cressy
mailto:rev.cressy@prontonmail.com
/\_/\
( o.o )
> ^ <
Cell Phone: 267-668-9686
GnuPG Fingerprint:
D234 65D6 2822 211B F82F A6CA B332 4CC8 ACBF D200
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
You can find me on the following:
Telegram:
(My Main Channel)
https://t.me/RevLeRoy
(Send Me A Message)
https://t.me/LeRoy_Cressy
(My Videos)
https://t.me/rev_cressy_videos
Video:
ugetube.com:
https://ugetube.com/@the-rev
bitchute.com:
https://www.bitchute.com/channel/the-rev/
brighteon.com:
https://www.brighteon.com/channels/therev
rumble.com:
https://rumble.com/user/lrcressy
odysee.com:
https://odysee.com/@the-rev
#! /usr/bin/bash
# Edit Date: Saturday December 03, 2022
# Creation Date: Friday February 05, 2021
# creation file name: backup
# Copyright (C) 2021 - 2022 by Rev. LeRoy D. Cressy <rev.cressy@protonmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#Arch Linux Required Packages
# rsync
# Variables
COPYRIGHT="2021 - 2022 by Rev. LeRoy Cressy <rev.cressy@protonmail.com>"
VERSION="1.15"
LICENSE="GPL"
MP="/mnt/backup"
DATE=$(date +%b-%d-%y)
DATE_YESTERDAY=$(date +%b-%d-%y -d yesterday)
DATE_2_DAYS_AGO=$(date +%b-%d-%y --date='2 days ago')
EXCLUDE_1="postgres/"
EXCLUDE_2="backup/$HOSTNAME*"
EXCLUDE_3="*[Ll]ossless*.m[kp]*"
EXCLUDE_4=""
# Setting the the IFS variable default enables the a for loop to recourse directories
# of files with spaces. Hope this helps.
# See: https://www.cyberciti.biz/tips/handling-filenames-with-spaces-in-bash.html
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
# Colors
ESC=$(echo -ne '\033')
RED="${ESC}[31m"
GREEN="${ESC}[32m"
YELLOW="${ESC}[1m${ESC}[33m"
RESET="${ESC}[0m"
# Color and format functions
function ok ()
{
printf "%s" "[ ${GREEN}OK${RESET} ] "
}
function success ()
{
printf "%s" "[ ${GREEN}Successful${RESET} ] "
}
function failed ()
{
printf "%s" "[ ${RED}FAILED${RESET} ]"
}
function warn ()
{
printf "%s" "[ ${YELLOW}WARNING${RESET} ]"
}
function say_it ()
{
message=$1
printf "%s\n" " $message"
}
# Allow only the root user to run this script
if [ $UID != 0 ];
then
echo " "
echo " "
printf "%s\n" "${RED} You must be root to run this script!${RESET}"
echo " "
echo " "
exit 1
fi
function bck ()
{
# Backup function which calls rsync
# $1 backup directory as etc
# $2 Directory to be backed up as /etc
if [ -d "$2" ];
then
if [ -d "$MP"/"$1" ];
then
echo ""
echo "**************************************************"
echo ""
echo " Backing Up $2 on $MP/$1 "
echo ""
echo "**************************************************"
echo ""
if rsync -av --progress --delete --exclude=$EXCLUDE_1 \
--exclude=$EXCLUDE_2 --exclude=$EXCLUDE_3 \
--exclude=$EXCLUDE_4 --delete-excluded "$2"/ "$MP"/"$1"/ ;
then
ok; say_it "Backup of $2 complete";
else
failed; say_it "Backup of $2 FAILED";
fi
else
echo ""
echo "**************************************************"
echo ""
echo " Backing Up $2 on $MP/ "
echo " Utilizing rsync's ability to create remote "
echo " directory $MP/$1"
echo ""
echo "**************************************************"
echo ""
if rsync -av --progress --delete --exclude=$EXCLUDE_1 \
--exclude=$EXCLUDE_2 --exclude=$EXCLUDE_3 \
--exclude=$EXCLUDE_4 --delete-excluded "$2" "$MP"/ ;
then
ok; say_it "Backup of $2 complete";
else
failed; say_it "Backup of $2 FAILED";
fi
fi
else
echo ""
echo "**************************************************"
echo ""
warn; say_it "$2 does not exist";
echo ""
echo "**************************************************"
echo ""
fi
}
function check ()
{
# $1 = usr/bin
# $2 = usr-bin
if [[ -d /"$1" ]] && [[ ! -L /"$1" ]] ;
then
echo ""
echo "**************************************************"
echo ""
echo " Checking for differences since last backup on /$1 "
echo ""
echo "**************************************************"
echo ""
# September 26, 2022
# Changed md5sum to b2sum which is supposed to be more secure
if [ -f "$MP"/b2sum-"$2".txt ];
then
mv -f "$MP"/b2sum-"$2".txt "$MP"/b2sum-"$2".txt.old
fi
touch "$MP"/b2sum-"$2".txt
for i in /"$1"/* ;
do
#say_it "/$1";
if [[ -f $i ]] && [[ ! -L $i ]];
then
b2sum $i >> "$MP"/b2sum-"$2".txt
elif [[ -d $i ]] && [[ ! -L $i ]];
then
for j in $i/* ;
do
#say_it "/$1/$i";
if [[ -f $j ]] && [[ ! -L $j ]];
then
b2sum $j >> $MP/b2sum-$2.txt
elif [[ -d $j ]] && [[ ! -L $j ]];
then
for k in $j/* ;
do
#say_it "$1/$i/$j";
if [[ -f $k ]] && [[ ! -L $k ]];
then
b2sum $k >> $MP/b2sum-$2.txt
elif [[ -d $k ]] && [[ ! -L $k ]];
then
for l in $k/* ;
do
#say_it "$1/$i/$j/$k"
if [[ -f $l ]] && [[ ! -L $l ]];
then
b2sum $l >> $MP/b2sum-$2.txt
elif [[ -d $l ]] && [[ ! -L $l ]];
then
for m in $l/* ;
do
#say_it "$1/$i/$j/$k/$l";
if [[ -f $m ]] && [[ ! -L $m ]];
then
b2sum $m >> $MP/b2sum-$2.txt
elif [[ -d $m ]] && [[ ! -L $m ]];
then
for n in $m/* ;
do
#say_it "$1/$i/$j/$k/$l/$m";
if [[ -f $n ]] && [[ ! -L $n ]];
then
b2sum $n >> $MP/b2sum-$2.txt
elif [[ -d $n ]] && [[ ! -L $n ]];
then
for o in $n/* ;
do
#say_it "$1/$i/$j/$k/$l/$m/$n";
if [[ -f $o ]] && [[ ! -L $o ]];
then
b2sum $o >> $MP/b2sum-$2.txt
elif [[ -d $o ]] && [[ ! -L $o ]];
then
for p in $o/* ;
do
#say_it "$1/$i/$j/$k/$l/$m/$n/$o"
if [[ -f $p ]] && [[ ! -L $p ]];
then
b2sum $p >> $MP/b2sum-$2.txt
elif [[ -d $p ]] && [[ ! -L $p ]];
then
for q in $p/* ;
do
if [[ -f $q ]] && [[ ! -L $q ]];
then
b2sum $q >> $MP/b2sum-$2.txt
elif [[ -d $q ]] && [[ ! -L $q ]];
then
for r in $q/* ;
do
if [[ -f $r ]] && [[ ! -L $r ]];
then
b2sum $r >> $MP/b2sum-$2.txt
elif [[ -d $r ]] && [[ ! -L $r ]];
then
for s in $r/* ;
do
if [[ -f $s ]] && [[ ! -L $s ]];
then
b2sum $s >> $MP/b2sum-$2.txt
elif [[ -d $s ]] && [[ ! -L $s ]];
then
for t in $s/* ;
do
if [[ -f $t ]] && [[ ! -L $t ]];
then
b2sum $t >> $MP/b2sum-$2.txt
elif [[ -d $t ]] && [[ ! -L $t ]];
then
for u in $t/* ;
do
if [[ -f $u ]] && [[ ! -L $u ]];
then
b2sum $u >> $MP/b2sum-$2.txt
elif [[ -d $u ]] && [[ ! -L $u ]];
then
for v in $u/* ;
do
if [[ -f $v ]] && [[ ! -L $v ]];
then
b2sum $v >> $MP/b2sum-$2.txt
elif [[ -d $v ]] && [[ ! -L $v ]];
then
warn; say_it "$v is a directory";
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
fi
done
if [ -f $MP/b2sum-$2.txt.old ];
then
diff $MP/b2sum-$2.txt.old $MP/b2sum-$2.txt > $MP/b2sum-$2.diff
if [[ -s $MP/b2sum-$2.diff ]];
then
cat $MP/b2sum-$2.diff
failed; say_it "Files were changed in /$2";
else
ok; say_it "No Files were altered in /$2";
fi
fi
fi
}
# Make sure our external hd is mounted
if grep -sq "$MP" /proc/mounts;
then
if [[ -x /usr/bin/rsync ]];
then
bck etc "/etc"
bck pkg "/var/cache/pacman/pkg"
bck local "/usr/local"
bck home "/home"
bck cron "/var/spool/cron"
bck boot "/boot"
bck root "/root"
# Backup postgresql with pg_dumpall
if [[ -x /usr/bin/pg_dumpall ]];
then
echo ""
echo "**************************************************"
echo ""
echo " Backing Up Postgresql on $MP/"$HOSTNAME"-postgressql-"$DATE"-dumpall.sql "
echo ""
echo "**************************************************"
echo ""
if pg_dumpall > "$MP"/"$HOSTNAME"-postgressql-"$DATE"-dumpall.sql;
then
ok; say_it "Postgresql dumpall to $MP/$HOSTNAME-postgresql-$DATE-dumpall.sql complete"
if [[ -e $MP/"$HOSTNAME"-postgressql-"$DATE_YESTERDAY"-dumpall.sql ]];
then
warn; say_it "Removing yesterdays postgresql dumpall backup"
rm $MP/"$HOSTNAME"-postgressql-"$DATE_YESTERDAY"-dumpall.sql
fi
else
failed; say_it "Postgresql dumpall to $MP/$HOSTNAME-postgresql-$DATE-dumpall.sql FAILED"
fi
fi
check etc etc
check boot boot
check bin bin
check sbin sbin
check usr/sbin usr-sbin
check usr/bin usr-bin
check lib lib
check usr/lib usr-lib
echo ""
echo "**************************************************"
echo ""
echo " Saving and Updating Package lists"
echo ""
echo "**************************************************"
echo ""
if [ -x /usr/bin/pacman ];
then
pacman -Sy
pacman -Qemq > $MP/$HOSTNAME-Arch-Foreign-Packages.txt
pacman -Qenq > $MP/$HOSTNAME-Arch-Native-Packages.txt
printf "%s\n" " Restore Native Packages" > $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n\n" " Use pacman -S $ (cat $MP/$HOSTNAME-Arch-Native-Packages.txt)" >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n" " Restore Local Packages" >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n" " Use a bash for loop to reinstall your compiled foreign packages." >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "\n%s\n" " cd into foreign archive directory." >> $MP/$HOSTNAME-Restore-Instructions.txt
echo " for j in *; do pacman -U --needed $'j'; done " >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n" " I have never tested this so I do not if this will work. :-) " >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n" " Another alternative could possibly be to:" >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n" " pacman -U --needed *zst" >> $MP/$HOSTNAME-Restore-Instructions.txt
printf "%s\n\n" " This seems to take care of any dependencies that are local packages." >> $MP/$HOSTNAME-Restore-Instructions.txt
fi
if [ -x /usr/bin/dpkg ];
then
dpkg --get-selections > $MP/$HOSTNAME-Debian-Packages.txt
printf "%s\n" "Use dpkg --set-selections < $MP/$HOSTNAME-Debian-Packages.txt " > $MP/HOSTNAME-Restore-Instructions.txt
fi
# Reset IFS variable
IFS=$SAVEIFS
ok; say_it "Backup Complete";
else
echo " "
echo " "
printf "%s\n" "${RED} /usr/bin/rsync does not exist!${RESET}"
echo " "
echo " "
exit 1
fi
else
echo " "
echo " "
printf "%s\n" "${RED} External Drive not mounted!${RESET}"
echo " "
echo " "
exit 1
fi
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug