From c8579244fb771242b6ce06e0fdb1d0e99e1e67f7 Mon Sep 17 00:00:00 2001 From: Marcel `sdrfnord` McKinnon Date: Wed, 11 Jun 2014 13:30:19 +0200 Subject: [PATCH] Minor improvements: Spell checking and added section "Limitations". --- README.md | 18 ++++++++++++------ chkboot | 7 ++----- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 554f79b..9ac6665 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,12 @@ reboots. Since the scripts and the data they generate are stored on the encrypted part of the disk, any attempts to modify the boot partition between reboots will be detected. +Limitations +------------ + +Be aware that chkboot can *not* protect you against: +* a trojan hiding in your BIOS +* rootkits that mimmick the old files Description ------------ @@ -21,15 +27,15 @@ had changes made to them is kept, but the short term list meant to alert the user is erased the next time `chkboot` is run. `chkboot-check`: This file can be run by anyone who can view /var/lib/chkboot, -and will display a warning a the list of changed files if any were detected last +and will display a warning and the list of changed files if any were detected last time chkboot was run. -`chkboot.conf`: Contans settings for your configuration, including which +`chkboot.conf`: Contains settings for your configuration, including which alert types will be used. Alert types are currently on shell login via '/etc/profile.d' and in the vterm header by modifying '/etc/issue' `INITCPIO SUPPORT`: If your system uses initcpio, add 'chkboot' to the end of -your modules array to have chkboot run automatically when you upgrade linux. +your modules array to have chkboot run automatically when you upgrade Linux. `SYSTEMD SUPPORT`: If your system uses systemd, you should enable the chkboot service to have your boot partitioned checked every time your system starts. @@ -55,7 +61,7 @@ make install-initcpio make install-systemd ``` -Manual Installation +Manual Installation ------------------- ### Everything should be installed as shown below @@ -74,7 +80,7 @@ Ubuntu), add the following line to `/etc/rc.local`: /usr/bin/chkboot & ``` -### REQUIRES INITCPIO: +### REQUIRES INITCPIO: Add `chkboot` to the end of the 'HOOKS' array in `/etc/mkinitcpio.conf` @@ -88,7 +94,7 @@ Run `systemctl --system daemon-reload` and then `systemctl enable chkboot` ### OPTIONAL: -`chkboot-bootcheck` can be installed elsewhere and added to the startup sequence +`chkboot-bootcheck` can be installed elsewhere and added to the startup sequence with another system: ``` diff --git a/chkboot b/chkboot index 22d66fb..0d55475 100755 --- a/chkboot +++ b/chkboot @@ -7,9 +7,6 @@ # # license: GPLv2 # -# a reminder that this will NOT protect against: -# -a trojan hiding in your BIOS -# -rootkits that mimmick the old files CHKBOOT_CMD=$(echo "$0" | sed 's/.*\///g') @@ -45,14 +42,14 @@ if [ ! -z "$1" ]; then echo -e "Invalid argument: ${1}" help exit 1 - fi + fi else CHANGED="0" fi install -d "$CHKBOOT_DATA" -# delete the previous +# delete the previous if [[ -s "${CHANGES_ALERT}" ]]; then # restore /etc/issue if it's been modified if [ ! $(grep -c "CHKBOOT ALERT" /etc/issue) = 0 ]; then