{"id":17310500,"url":"https://github.com/kpcyrd/archlinux-userland-fs-cmp","last_synced_at":"2026-01-27T13:03:56.181Z","repository":{"id":217564416,"uuid":"744194730","full_name":"kpcyrd/archlinux-userland-fs-cmp","owner":"kpcyrd","description":"Forensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source","archived":false,"fork":false,"pushed_at":"2024-03-29T15:17:17.000Z","size":100,"stargazers_count":34,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-28T09:30:05.110Z","etag":null,"topics":["archlinux","forensics","integrity","pacman","rust","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpcyrd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-16T20:03:19.000Z","updated_at":"2024-11-18T08:51:07.000Z","dependencies_parsed_at":"2024-01-17T05:46:23.211Z","dependency_job_id":"ab8a7c3c-5f93-4488-ba50-d671ddf53905","html_url":"https://github.com/kpcyrd/archlinux-userland-fs-cmp","commit_stats":null,"previous_names":["kpcyrd/archlinux-userland-fs-cmp"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kpcyrd/archlinux-userland-fs-cmp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Farchlinux-userland-fs-cmp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Farchlinux-userland-fs-cmp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Farchlinux-userland-fs-cmp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Farchlinux-userland-fs-cmp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpcyrd","download_url":"https://codeload.github.com/kpcyrd/archlinux-userland-fs-cmp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Farchlinux-userland-fs-cmp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28813230,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T12:25:15.069Z","status":"ssl_error","status_checked_at":"2026-01-27T12:25:05.297Z","response_time":168,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["archlinux","forensics","integrity","pacman","rust","security"],"created_at":"2024-10-15T12:37:24.818Z","updated_at":"2026-01-27T13:03:56.161Z","avatar_url":"https://github.com/kpcyrd.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# archlinux-userland-fs-cmp\n\nForensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source. This utilizes https://archive.archlinux.org, all files not coming from one of those packages are flagged for investigation.\n\n[![asciicast](https://asciinema.org/a/MFefYEdvU2O5LlIzseQnyBky5.svg)](https://asciinema.org/a/MFefYEdvU2O5LlIzseQnyBky5)\n\n## Features\n\n- Not the entire package is fetched from the archive, as soon as the `.MTREE` has been received the download is aborted. This currently relies on https for security and some downloads are going to be redirected to archive.org (which is considered acceptable for what it's written for), but for added security could be pointed to an ipfs folder (that has been calculated/authenticated ahead of time).\n- The mounted filesystem is hashed with a thread pool.\n- The scan needs `CAP_DAC_READ_SEARCH` which usually requires root, but before accessing the mounted filesystem all unneeded kernel capabilities are removed (like `CAP_SYS_ADMIN`, `CAP_SETUID`, `CAP_DAC_OVERRIDE`, ...) and the process is then blocked from re-acquiring them.\n- The mounted filesystem is considered untrusted and may contain malicious changes, parsers are written in memory-safe languages and files are only read, but never executed.\n- The investigating live medium can be any Linux, like Debian or NixOS.\n\n## Usage\n\n```sh\narchlinux-userland-fs-cmp /mnt -x /home -o ~/report.txt\n```\n\nThis expects an Arch Linux install to be mounted on `/mnt` and is going to exclude `/mnt/home` from the scan.\n\n## Testing for development\n\nFor development, you may find this command useful:\n\n```sh\ncargo watch -- cargo run --release -- / -x /home -x /dev -x /proc -x /sys -x /run -x /var/cache -x /var/tmp # -x /var/lib/archbuild -x /nix -x /var/lib/repro ...\n```\n\nTo scan a smaller system with shorter output, try:\n\n```sh\npodman run -it --rm -v \"$PWD/target/x86_64-unknown-linux-musl/release/archlinux-userland-fs-cmp:/cmp:ro\" archlinux /cmp / -x /sys -x /proc -x /dev -x /var/lib/pacman/local -x /etc/ca-certificates/extracted\n```\n\n## Why not paccheck?\n\npacman can do it's own integrity checks using:\n\n```\npaccheck --sha256sum --quiet\n```\n\nHowever, the Arch Linux wiki states:\n\n\u003e Note: This should **not** be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.\n\narchlinux-userland-fs-cmp implements this accordingly (use from a live medium is still advised of course).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Farchlinux-userland-fs-cmp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpcyrd%2Farchlinux-userland-fs-cmp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Farchlinux-userland-fs-cmp/lists"}