Try: pkg_delete -n /var/db/pkg/*
Look for any lines mentioning failes are missing or files have the wrong hash. For example, I added a '.' to README.OpenBSD in qemu: $ pkg_delete -n qemu /usr/sbin/pkg_delete should be run as root Pretending to delete qemu-0.9.1p4 Problem: checksum doesn't match for /usr/local/share/doc/qemu/README.OpenBSD NOT deleting: /usr/local/share/doc/qemu/README.OpenBSD remove dependency on sdl-1.2.13p6 --- qemu-0.9.1p4 ------------------- Couldn't delete /usr/local/share/doc/qemu/README.OpenBSD (bad checksum) Problem being, regardless the os, unless you boot from clean media and execute no binaries etc from the compromised system's disk or any other files the compromised system has access to, you really can never trust anything you see or any programs you run. So, the above is only valid if you want to check for disk corruption, really. -- Todd Fries .. [email protected] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by jul on 20081219 20:08.11, we have: | Stuart Henderson wrote on 18/12/08 21:14: | > On 2008-12-18, jul <[email protected]> wrote: | >> a small question, is there any way to check integrity of installed | >> packages'binaries ? | > | > yes, by (ab)using pkg_create: | > | > for i in `find /var/db/pkg -name +CONTENTS`; do | > pkg_create -nf $i > /dev/null | > done | | | exactly, what i want. | | thanks a lot stuart | | for archives, seriously and as said before, it's only one step in | investigation. it doesn't replace a dd + forensic analysis for a | compromised host. | But when you are suspicious and there is no mtree/samhain/aide/else, it | helps.
