mirror of https://schlomp.space/tastytea/hashboot
initial commit
commit
b13bf72db2
|
@ -0,0 +1 @@
|
|||
*.sublime-*
|
|
@ -0,0 +1,11 @@
|
|||
* 2015-06-05 tastytea <tastytea@tastytea.de>
|
||||
Version 0.3
|
||||
Recovery
|
||||
* 2015-06-03 tastytea <tastytea@tastytea.de>
|
||||
Version 0.2
|
||||
Debian initscript (SysV-style)
|
||||
Gentoo initscript (openrc)
|
||||
Backup in /var/cache/bootbackup.tar.gz
|
||||
* 2015-06-03 tastytea <tastytea@tastytea.de>
|
||||
Version 0.1
|
||||
Usable skript
|
|
@ -0,0 +1,3 @@
|
|||
* Make sure you have sha*sum or md5sum installed
|
||||
* Make hashboot.sh executable
|
||||
* Place hashboot.sh where it's needed
|
|
@ -0,0 +1,8 @@
|
|||
For build instruction see INSTALL.
|
||||
|
||||
Run "hashboot.sh index" to generate checksums for /boot
|
||||
Run "hashboot.sh check" to check /boot
|
||||
|
||||
A backup is stored in /var/cache/bootbackup.tar.gz
|
||||
|
||||
Detailed documentation is in the sourcecode.
|
|
@ -0,0 +1,6 @@
|
|||
* SysV-style init scripts
|
||||
* Systemd init script
|
||||
* Gentoo ebuild
|
||||
* Debian package
|
||||
* Ubuntu package
|
||||
* recovery
|
|
@ -0,0 +1,88 @@
|
|||
#!/bin/sh
|
||||
#Hashes all files in /boot to check them during early boot
|
||||
#Exit codes: 0 = success, 1 = wrong usage, 2 = not root, 3 = no hasher found, 4 = checksum mismatch
|
||||
|
||||
VERSION="0.3"
|
||||
DIGEST_FILE="/var/lib/hashboot.digest"
|
||||
LOG_FILE="/tmp/hashboot.log"
|
||||
BACKUP_FILE="/var/cache/boot-backup.tar.gz"
|
||||
HASHER=""
|
||||
BOOT_MOUNTED=""
|
||||
|
||||
|
||||
#Umount /boot if we mounted it, exit with given exit code
|
||||
function die
|
||||
{
|
||||
if [ ! -z ${BOOT_MOUNTED} ]
|
||||
then
|
||||
umount /boot
|
||||
fi
|
||||
|
||||
exit ${1}
|
||||
}
|
||||
|
||||
#If we're not root: exit
|
||||
if [ ${UID} -ne 0 ]
|
||||
then
|
||||
echo "You have to be root" >&2
|
||||
die 2
|
||||
fi
|
||||
|
||||
#Try different hashers, use the most secure
|
||||
HASHER=$(/usr/bin/which --skip-dot --skip-tilde sha512sum 2> /dev/null)
|
||||
test -z ${HASHER} && $(/usr/bin/which --skip-dot --skip-tilde sha384sum 2> /dev/null)
|
||||
test -z ${HASHER} && $(/usr/bin/which --skip-dot --skip-tilde sha256sum 2> /dev/null)
|
||||
test -z ${HASHER} && $(/usr/bin/which --skip-dot --skip-tilde sha224sum 2> /dev/null)
|
||||
#It gets insecure below here, but better than nothing?
|
||||
test -z ${HASHER} && $(/usr/bin/which --skip-dot --skip-tilde sha1sum 2> /dev/null)
|
||||
test -z ${HASHER} && $(/usr/bin/which --skip-dot --skip-tilde md5sum 2> /dev/null)
|
||||
|
||||
#If we found no hasher: exit
|
||||
if [ -z ${HASHER} ]
|
||||
then
|
||||
echo "No hash calculator found" >&2
|
||||
die 3
|
||||
fi
|
||||
|
||||
#If /boot is in fstab but not mounted: mount, mark as mounted
|
||||
if grep -q '/boot.*noauto' /etc/fstab && ! grep -q /boot /etc/mtab
|
||||
then
|
||||
mount /boot
|
||||
BOOT_MOUNTED=1
|
||||
fi
|
||||
|
||||
if [ "${1}" == "index" ]
|
||||
then
|
||||
#Write header
|
||||
echo "#hashboot ${VERSION} - Algorithm: $(basename ${HASHER})" > ${DIGEST_FILE}
|
||||
#Write hashes of all regular files to ${DIGEST_FILE}
|
||||
find /boot -type f -exec ${HASHER} --binary {} >> ${DIGEST_FILE} +
|
||||
#Backup of good files
|
||||
tar -czpPf ${BACKUP_FILE} /boot
|
||||
die 0
|
||||
elif [ "${1}" == "check" ]
|
||||
then
|
||||
if $(${HASHER} --check --warn --quiet --strict ${DIGEST_FILE} > ${LOG_FILE})
|
||||
then
|
||||
die 0
|
||||
else
|
||||
echo " !! TIME TO PANIK: A FILE WAS MODIFIED !!"
|
||||
echo "Restoring files from backup... (type yes or no for each file)"
|
||||
#For each failed file: ask if it should be recovered from backup
|
||||
for file in $(cut -d: -f1 ${LOG_FILE})
|
||||
do
|
||||
tar -xzpPvwf ${BACKUP_FILE} ${file}
|
||||
done
|
||||
|
||||
echo "Type reboot to reboot now, otherwise you get a shell"
|
||||
read -r reboot
|
||||
if [ ${reboot} == "reboot" ]
|
||||
then
|
||||
reboot
|
||||
fi
|
||||
die 4
|
||||
fi
|
||||
else
|
||||
echo "Usage: ${0} index|check" >&2
|
||||
die 1
|
||||
fi
|
|
@ -0,0 +1,44 @@
|
|||
#!/bin/sh
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: hashboot
|
||||
# Required-Start: $mountall
|
||||
# Required-Stop:
|
||||
# Default-Start: S
|
||||
# Default-Stop:
|
||||
# Short-Description: Check integrity of files in /boot
|
||||
### END INIT INFO
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin
|
||||
|
||||
# See if hashboot.sh is accessible
|
||||
test -x $(which hashboot.sh) || exit 0
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
log_daemon_msg "Checking integrity of files in /boot"
|
||||
|
||||
if ! hashboot.sh check
|
||||
then
|
||||
log_end_msg 1
|
||||
sh
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
# No-op
|
||||
|
||||
;;
|
||||
restart|reload|force-reload|status)
|
||||
echo "Error: argument '$1' not supported" >&2
|
||||
exit 2
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/hashboot {start|stop}"
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,24 @@
|
|||
#!/sbin/runscript
|
||||
|
||||
description="Check integrity of files in /boot"
|
||||
|
||||
depend()
|
||||
{
|
||||
need localmount
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
ebegin "Checking integrity of files in /boot"
|
||||
|
||||
# See if hashboot.sh is accessible
|
||||
which hashboot.sh > /dev/null || return 1
|
||||
|
||||
if ! hashboot.sh check
|
||||
then
|
||||
sh
|
||||
return 2
|
||||
fi
|
||||
|
||||
eend 0
|
||||
}
|
Loading…
Reference in New Issue