dpkg-paranoia
This little program sets hook on pre-installing package. It
unpacks .deb file to /tmp/ and checks wether it satisfies
specified rules (requirements of local policy). Already
created rules include checks on:
* setuid/setgid bit on executables
* cron jobs
* apparmor profiles
* scripts those are executed on install/remove
(preinst/postinst, prerm/postrm)
* changing sysctl settings.
Run "chmod a-x /etc/dpkg-paranoia.d/checkXXX" to disable checkXXX.
If installation is launched in non-interactive mode and any of
above checks is failed then installation fails.
If installation is launched in interactive mode and any of
above checks is failed then user is given a prompt what to
do with this suspicious package.
What it is and what it is not.
------------------------------
This is NOT an anti-virus or anti-malware or smth like that.
Such type of program cannot guarantee 100% protection.
Opposite, this program audits downloaded packages on
matching _concrete_ policies. It report admin that some
package doesn't satisfy local rules and that it should be
verified manually. E.g. in case of using nonnative distribution
repository (Ubuntu PPA or upstream) you are able to meet
with such situation. Some maintainers think that they may
add their own repositories to repos list or add their PGP
keys to trusted list. Sometimes such actions are OK for
system, however, admin should be noticed about them. Also
admin should know all system changes made by installed
packages: adding users through install scripts, sysctl
settings, etc.
Bookmarks