Yes sir!

When using a debian-based distro with the apt package manager, how can I make the package manager execute a certain script of my choice, if the package manager modifies at least one file in a given folder? For example I would like to have it use a script to automatically update a list of file hashes inside the /boot folder, and sign the hash list file with gpg when updating the distro with "apt-get upgrade" command. But this should only happen when at least one of the files inside the /boot folder has been modified, deleted, added, updated, etc.

Is this possible?

Taken from /etc/apt/apt.conf.d/05etckeeper

So you would write a shell script that would do your logic and have that called by apt.

How to find out if file in boot are altered could pose a challenge. Also you could pre-invoke'd md5sum all and post-invoke'd md5sum all within /boot. Compare the two list and you should be set.

If you only want to monitor file changes in /boot I wouldn't do it with apt-get, but with inotify, a kernel subsystem to monitor file changes.

Hmm, thank you for the suggestions. Personally I wanted to know whether the apt has a feature that can signal whether files in a certain folder have been modified. From the looks of your answers I take it that it doesn't. I'm already aware of the pre-invoke and post-invoke hooks, and using them to pre/post compare was my fall-back idea. I wanted to use this to detect whether somebody has tampered with files on the boot partition i.e. evil maid since I use full disk encryption on my linux box. Obviously I would have to run a verification script in pre-invoke to see whether the files are still clean (abort, if they're not), perform an upgrade, and verify again. If the second verification fails then the hashes need to be updated. Since apt is pretty much the only thing modifying files on the /boot partition I thought it would be wise to run the update script within a apt-get hook. I'll also be executing the verify script on each boot to see, if all the files are still intact. And P.S. I use sha256sum at least

The inotify sounds like an interesting idea, but it does not detect modifications done from outside the OS i.e. an adversary boots a live image and modifies the files on /dev/sda1. BTW, can the apt-get upgrade be stopped somehow from the pre-invoke script i.e. the script returns 0?

To stop apt-get upgrade:
From etckeeper it seems to be enough if one of the hooks does not return 0. Or maybe some calls to db_subst (seems to be a debconf thingy). I guess man apt should shed some better light.


Also then he could change your checksum database. Reboot with different media should be taken as a breach and is quite hard to detect. He could even enable an virtual enviroment, replace md5sum with his own binary to return the right values etc. Hard thing to tackle completly.

Did I mention the database will be signed with gpg? Though there's even no need for the database to reside on the unencrypted /boot partition, it might as well sit inside the encrypted LVM container. However that would make it harder to verify files from outside...

Yes, this does have its flaws i.e. it will not be able to verify the signatures until after the rootfs has been decrypted, so I might as well get owned first, but at least I'll have an indication of it. Do you think it's possible to move the verification into initramfs itself? Though I'm unsire what benefits (if any) that would offer. An attacker could simply replace initramfs image with his own...

Regards!

The only somewhat secure approach to this I know of: Do not have /boot on your harddisk. Use a removable medium that is always by your side or in a secure place, for example a safe.