For some context, I had a former colleague who found himself working in a company with many compromised servers that had been owned for years with no immediate possibility of replacing them. Knowing that binaries had been modified, he had to verify the integrity of all systems. For this purpose, he created a small script to check everything.
#!/bin/bash# Get packages listdpkg-l|awk'($1=="ii") {print $2"="$3}'>/tmp/pkgs
cat>/tmp/apt.conf<<__EOF// Only needed if arch_of(broken_system) != uname -m// APT::Architecture "amd64";APT::Get::Download-Only "true";APT::Get::Reinstall "true";Dir "/"{ State::status "/var/lib/dpkg/status"; Cache "/tmp/new-ar";};// the filesystem is read-only, hence we need no root permission to// run apt-get to get file locksDebug::NoLocking "true";__EOF# Install packages in a temp foldermkdir-p/tmp/new-ar/archives/partial
APT_CONFIG=/tmp/apt.confapt-get--reinstallinstall$(cat/tmp/pkgs)# Diff temp content with rootdebsums--all--changed--generate=all--root=/--deb-path=/tmp/new-ar/archives$(awk-F='{print $1}'/tmp/pkgs)
All you have to do is make the script executable and run it :-)