-
Notifications
You must be signed in to change notification settings - Fork 0
/
check.sh
280 lines (245 loc) · 10.8 KB
/
check.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
#!/bin/bash
# To run at startup and enable the old network interfaces:
# - download check.desktop, edit with your username and and copy into ~/.config/autostart
# - sudo sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT="/&net.ifnames=0 biosdevname=0 /' /etc/default/grub && sudo update-grub
#------------------------------------------Pre-steps---------------------------------------------------------------#
# Enable leds, I need it on my keyboard... uncomment the next line if you need it too
# xset led 3
# Ask for sudo privileges
[ "$UID" -eq 0 ] || exec sudo "$0" "$@"
# Run apt update
if ping -c1 www.google.com > /dev/null 2>&1; then
echo "updating"
sudo apt update > /dev/null 2>&1
fi
# Check requirements
sudo dpkg -l | grep -qw figlet || sudo apt-get install figlet -y
sudo dpkg -l | grep -qw dmidecode || sudo apt-get install dmidecode -y
sudo dpkg -l | grep -qw lshw || sudo apt-get install lshw -y
sudo dpkg -l | grep -qw fwupd || sudo apt-get install fwupd -y
tpm=$(sudo dpkg -l | grep -E tpmtool)
{
if [[ -z "$tpm" ]]; then
wget https://github.com/9elements/tpmtool/releases/download/v3/tpmtool_3_linux_amd64.deb
sudo dpkg -i tpmtool_3_linux_amd64.deb
sudo apt-get install -f -y
sudo rm tpmtool_3_linux_amd64.deb
fi
}
#------------------------------------------Variables declaration---------------------------------------------------------------#
echo "////////////////////////////////////////////////////////////////////////////"
# Ssd or hdd variable
ssd=/dev/sda
# Network interfaces variables, change like you need
ethernet=eth0
wireless=wlan0
#------------------------------------------Check for previous txt---------------------------------------------------------------#
echo "Checking folders and files"
# Check if the working directory exist otherwise it will create one
mkdir -p "/sec"
# Check if the original list of sha512sums of the /boot and /efi partitions is present otherwise it will create one
if [ -f /sec/sha512sum_list_boot_orig.txt ]
then
echo "sha512sum_list_orig exist"
else
echo "List sha512sum of /boot and /efi partition"
sudo find /boot -type f -exec sha512sum "{}" + | sudo tee /sec/sha512sum_list_boot_orig.txt > /dev/null 2>&1
fi
# Check if the orginal file containing the bios infos is present otherwise it will create one
if [ -f /sec/bios_info_orig.txt ]
then
echo "bios_info_orig exist"
else
echo "Extract bios infos"
sudo dmidecode --type bios | sudo tee /sec/bios_info_orig.txt > /dev/null 2>&1
sudo tail -n +2 '/sec/bios_info_orig.txt' | sudo tee temp.tmp > /dev/null 2>&1 && sudo mv temp.tmp '/sec/bios_info_orig.txt' > /dev/null 2>&1
fi
# Check if the orginal file containing the ssd infos is present otherwise it will create one
if [ -f /sec/ssd_orig.txt ]
then
echo "ssd_orig exist"
else
echo "Extract ssd infos"
sudo lshw -class disk | grep $ssd -A 5 -B 5 | sudo tee /sec/ssd_orig.txt > /dev/null 2>&1
fi
# Check if the orginal file containing the tpm_pcr_0 hashes is present otherwise it will create one
if [ -f /sec/tpm.bootguard_orig.txt ]
then
echo "tpm.bootguard_orig exist"
else
echo "Extract tpm infos"
sudo tpmtool eventlog dump | grep -A 3 'PCR: 0' | sudo tee /sec/tpm.bootguard_orig.txt > /dev/null 2>&1
fi
# Check if the orginal file containing the tpm_pcr_8 hashes is present otherwise it will create one
if [ -f /sec/tpm.kernel_orig.txt ]
then
echo "tpm.kernel_orig exist"
else
echo "Extract tpm infos"
sudo tpmtool eventlog dump | grep -E -A 1 -B 2 "initrd /" | sudo tee /sec/tpm.kernel_orig.txt > /dev/null 2>&1
fi
#------------------------------------------Compare old to new---------------------------------------------------------------#
echo "////////////////////////////////////////////////////////////////////////////"
# Calculate sha512sum of the /boot and /efi partitions files and compare the new txt with the old one
echo "Checking for / boot and /efi partition changes"
sudo find /boot -type f -exec sha512sum "{}" + | sudo tee /sec/sha512sum_list_boot_new.txt > /dev/null 2>&1
if diff -s /sec/sha512sum_list_boot_orig.txt /sec/sha512sum_list_boot_new.txt
then
figlet "/BOOT & /EFI MATCH"
sudo rm -rf /sec/sha512sum_list_boot_new.txt
else
echo "If you have booted windows is totally normal that it's entries are different"
while [ -z $prompt ];
do read -p "DATA WAS TAMPERED! Continue (y/n)?" choice;
case "$choice" in
y|Y ) echo "skipping...";sudo rm -rf /sec/bios_info_new.txt;break;;
n|N ) exit 0;;
esac;
done;
fi
echo "////////////////////////////////////////////////////////////////////////////"
# Extract the bios infos and compare them to the old txt
echo "Extract bios infos"
sudo dmidecode --type bios | sudo tee /sec/bios_info_new.txt > /dev/null 2>&1
sudo tail -n +2 '/sec/bios_info_new.txt' | sudo tee temp.tmp > /dev/null 2>&1 && sudo mv temp.tmp '/sec/bios_info_new.txt' > /dev/null 2>&1
if diff -s /sec/bios_info_orig.txt /sec/bios_info_new.txt
then
figlet BIOS MATCH
sudo rm -rf /sec/bios_info_new.txt
else
while [ -z $prompt ];
do read -p "DATA WAS TAMPERED! Continue (y/n)?" choice;
case "$choice" in
y|Y ) echo "skipping...";sudo rm -rf /sec/bios_info_new.txt;break;;
n|N ) exit 0;;
esac;
done;
fi
echo "////////////////////////////////////////////////////////////////////////////"
# Extract the ssd infos and compare them to the old txt
echo "Extract ssd infos"
sudo lshw -class disk | grep $ssd -A 5 -B 5 | sudo tee /sec/ssd_new.txt > /dev/null 2>&1
if diff -s /sec/ssd_orig.txt /sec/ssd_new.txt
then
figlet SSD MATCH
sudo rm -rf /sec/ssd_new.txt
else
while [ -z $prompt ];
do read -p "DATA WAS TAMPERED! Continue (y/n)?" choice;
case "$choice" in
y|Y ) echo "skipping...";sudo rm -rf /sec/bios_info_new.txt;break;;
n|N ) exit 0;;
esac;
done;
fi
echo "////////////////////////////////////////////////////////////////////////////"
# Extract the tpm_pcr_0 hashes and compare them to the old txt
echo "Extract tpm infos"
sudo tpmtool eventlog dump | grep -A 3 'PCR: 0' | sudo tee /sec/tpm.bootguard_new.txt > /dev/null 2>&1
if diff -s /sec/tpm.bootguard_orig.txt /sec/tpm.bootguard_new.txt
then
figlet PCR 0 MATCH
sudo rm -rf /sec/tpm.bootguard_new.txt
else
while [ -z $prompt ];
do read -p "DATA WAS TAMPERED! Continue (y/n)?" choice;
case "$choice" in
y|Y ) echo "skipping...";sudo rm -rf /sec/bios_info_new.txt;break;;
n|N ) exit 0;;
esac;
done;
fi
echo "////////////////////////////////////////////////////////////////////////////"
# Extract the tpm_pcr_8 hashes and compare them to the old txt
echo "Extract tpm infos"
sudo tpmtool eventlog dump | grep -E -A 1 -B 2 "initrd /" | sudo tee /sec/tpm.kernel_new.txt > /dev/null 2>&1
if diff -s /sec/tpm.kernel_orig.txt /sec/tpm.kernel_new.txt
then
figlet PCR 8 MATCH
sudo rm -rf /sec/tpm.kernel_new.txt
else
echo "*Attention*: If you have upgraded the kernel, this check will fail on first reboot, because the TPM-based hash will have changed. This check will pass again after an additional reboot."
while [ -z $prompt ];
do read -p "DATA WAS TAMPERED! Continue (y/n)?" choice;
case "$choice" in
y|Y ) echo "skipping...";sudo rm -rf /sec/bios_info_new.txt;break;;
n|N ) exit 0;;
esac;
done;
fi
#------------------------------------------Bring up internet and change mac address---------------------------------------------------------------#
echo "////////////////////////////////////////////////////////////////////////////"
# Bring up Network Manager
echo "Bringing up Network Manager"
sudo systemctl start NetworkManager.service
sleep 3
#------------------------------------------Update---------------------------------------------------------------#
echo "////////////////////////////////////////////////////////////////////////////"
# Ping google until the internet connetion appear
echo "Waiting for network connection"
while true; do ping -c1 www.google.com > /dev/null 2>&1 && break; done
echo "////////////////////////////////////////////////////////////////////////////"
# Update the system
# Check for dpkg lock
while sudo fuser /var/{lib/{dpkg,apt/lists},cache/apt/archives}/lock >/dev/null 2>&1; do
sleep 1
echo "Waiting... dpkg lock"
done
# Start the system upgrade
echo "Updating system"
sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove --purge -y
# Check if flatpak is installed and then check for updates
flatpak=flatpak
which $flatpak > /dev/null 2>&1
if [ $? == 0 ]
then
flatpak update -y
flatpak uninstall --unused
fi
# Check if snapd is installed and then check for updates
snapd=snapd
which $snapd > /dev/null 2>&1
if [ $? == 0 ]
then
sudo snap refresh
fi
# Check if fwupd is installed and then check for updates
fwupdmgr=fwupdmgr
which $fwupdmgr > /dev/null 2>&1
if [ $? == 0 ]
then
sudo fwupdmgr refresh
sudo fwupdmgr update -y
fi
#------------------------------------------Recalculate hashes and store on txt---------------------------------------------------------------#
echo "////////////////////////////////////////////////////////////////////////////"
# Generate the new sha512 list because some updates can change some values
echo "Create sha512sum of the /boot partition"
sudo find /boot -type f -exec sha512sum "{}" + | sudo tee /sec/sha512sum_list_boot_orig.txt > /dev/null 2>&1
# Generate the new sha512sum because some updates can change some values
echo "Extract bios infos"
sudo rm /sec/bios_info_orig.txt
sudo dmidecode --type bios | sudo tee /sec/bios_info_orig.txt > /dev/null 2>&1
sudo tail -n +2 '/sec/bios_info_orig.txt' | sudo tee temp.tmp > /dev/null 2>&1 && sudo mv temp.tmp '/sec/bios_info_orig.txt' > /dev/null 2>&1
#Generate the new sha512sum because some updates can change some values
echo "Extract ssd infos"
sudo rm /sec/ssd_orig.txt
sudo lshw -class disk | grep $ssd -A 5 -B 5 | sudo tee /sec/ssd_orig.txt > /dev/null 2>&1
#Generate the new tpm_pcr_0 because some updates can change some values
echo "Extract tpm infos"
sudo tpmtool eventlog dump | grep -A 3 'PCR: 0' | sudo tee /sec/tpm.bootguard_orig.txt > /dev/null 2>&1
sudo tpmtool eventlog dump | grep -E -A 1 -B 2 "initrd /" | sudo tee /sec/tpm.kernel_orig.txt > /dev/null 2>&1
echo "////////////////////////////////////////////////////////////////////////////"
#------------------------------------------Disable Internet at boot---------------------------------------------------------------#
# At startup internet will not be up
nmservice=$(sudo systemctl is-enabled NetworkManager.service)
if [ "$nmservice" == "disabled" ]; then
echo "Network Manager service is already disabled"
else
echo "Disabling Network Manager service"
sudo systemctl disable NetworkManager.service
fi
echo "////////////////////////////////////////////////////////////////////////////"