Script to extract a signature of the first blocks of the disk, to be able to dectect boot tampering attemps.
- Because we are paranoid about boot hijacking. So thinking about the easiest way to be able to detect tampering attemps... this is the result.
- Javier Olascoaga jolascoaga@rootedcon.com
- Román Ramírez rramirez@rootedcon.com
Put this script onto your init scripts (quick-dirty /etc/rc.local) and whenever you get SENTINEL-KO and/or $? == -1, you can raise an alarm.
We use to change the desktop background to red (i.e, if you use gnome and have a red.jpg image with is, well, this, red, gsettings set org.gnome.desktop.background picture-uri file:///tmp/red.jpg), show a warning window through zenity (i.e, zenity --error --text="WARNING TEXT") or do the action you consider.
The device you want to read block from.
By default we will read 1024 bytes blocks.
The number of blocks you want to read (sector_count of sector_size lenght).
The sentinel file where to store the hash result to be compared on every boot.
The algorithm you want to use. Please, remember that not every openssl implementation includes all the hashing algorithms. If you want to check in your specific platform for which ones are available:
- openssl dgst -help
- python -c 'import hashlib;print hashlib.algorithms'
- over 2.7.9, python -c 'import hashlib;print hashlib.algorithms_available'
"msg", is the text to be printed on screen and "code" is the return code you can test with $?
msg = { 'error': { 'msg': 'SENTINEL-KO', 'code': -1 }, 'ok': { 'msg': 'SENTINEL-OK', 'code': 0 }, }
Happy hacking!