Ubuntu

Verifying authenticity of ubuntu updates

Asked by Ariel Faigon

On Dec 18, rkhunter (root kit detector) emailed me about several executables that were updated on my sytem:
    /bin/login
    /bin/su
    /usr/bin/lastlog
    /usr/bin/newgrp
    /usr/bin/passwd
    /usr/sbin/groupadd
    /usr/sbin/groupdel
    /usr/sbin/groupmod
    /usr/sbin/grpck
    /usr/sbin/nologin
    /usr/sbin/pwck
    /usr/sbin/useradd
    /usr/sbin/userdel
    /usr/sbin/usermod
    /usr/sbin/vipw

Usually I can easily associate such changes with me running an update and finding matches to pathnames of updated executables in my logs like this:

   #!/bin/sh
   pathname=$1
   packagename=`dpkg-query -S $pathname | sed 's,:.*,,'`
   grep -hw $packagename /var/log/dpkg.log* | sort

This time although these were all in the dpkg logs, I didn't recall running adept-updater around the time of the change (I may have run some general update from the command line, not sure).

My question/request:

1) Is there a official list of recent-updates I can retrieve from launchpad on the package file date+time level ?
2) Is there a list of md5 (or sha1) signatures on the file level anywhere on launchpad (not on my system) that I can use to verify that my executables are legitimate?

Ideally there would be a web page on launchpad were I would enter something like:

    /usr/sbin/vipw

and it would give me back a list (reverse sorted by time most recently updated on top) of lines like this:

file date+time package version md5sum
/usr/sbin/vipw 2008-12-18 08:45:27 GMT passwd 1:4.1.1-1ubuntu1.2 e50b549349b822f542c9da934c440853

This way I can verify for sure that any of my files which might be suspect is legit.

Thank you!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Bulat
Solved:
Last query:
Last reply:
Revision history for this message
Best Bulat (bulatkjug) said : 		#1

Don't know whether there is such a list. But you can go to http://archive.ubuntu.com/ubuntu/ and browse through repositories manually. It's the place from where Synaptics downloads updates etc. for Ubuntu. There you can find all the information you need.

Revision history for this message
Bulat (bulatkjug) said : 		#2

P.S. I now recall that there've been an update of some user management related package on my laptop recently. Never the less, you'd better go and check yourself in the repositories.

Revision history for this message
Ariel Faigon (ariel.faigon) said : 		#3

Bulat,

Thanks so much. This is definitely a good and helpful answer.
It gives me something to start from.

What is not so obvious is how can I translate from a package name to the location in the repositories. I guess some legwork of grepping recursively in /var/lib/apt/lists/ string manipulation and transformation could help me automate this verification process.

So I still have much work to do but this is very helpful (should have thought about it myself :)
so I will mark it solved.

Perhaps later I can share my verification script.

Revision history for this message
Ariel Faigon (ariel.faigon) said : 		#4

Thanks Bulat, that solved my question.