minor

linux_hardening.md

@@ -749,11 +749,41 @@ ERC settings: `smartctl -l scterc /dev/sda` or setting `smartctl -l scterc,150,1
  - https://man7.org/linux/man-pages/man8/integritysetup.8.html
 
 
+## pacman based integrity check
+```
+pacutils: sudo paccheck --md5sum --quiet
+AUR: sudo check-pacman-mtree.lua -a
+```
+
 ## apt based integrity check
+<!-- 
+(https://askubuntu.com/posts/891158/timeline)
+
+For checking the integrity of an individual file in a package against the repositories, there's no easy way short of downloading the package. The repositories typically provide these files:
+
+* `Release{,.gpg}`, `InRelease` \- these provide the hashes of the `Packages` files.
+* The `Packages` file provides hashes of the packages.
+* The `Contents` file, where present, provides filelists of packages.
+
+There's no file which provides the hashes of individual files - these are contained in the packages (`DEBIAN/md5sums` in the `control` archive).
+
+So, if you don't trust the local system:
+
+1.  You'll have to download the `Contents` file (if available).
+2.  Match the file to the package using that file and download the package.
+3.  Then use the `md5sums` to verify the file.
+
+If a `Contents` file is not available, and you don't trust the local system, have fun downloading _every_ package to see what provided the file.
+
+This does not scale.
+-->
+
 ```
 #!/usr/bin/bash
 
 sed -n '/Conffiles/,/Description/p' /var/lib/dpkg/status | grep -v Conffiles | grep -v Description | awk '{print $2 " " $1}' > dpkg_hash.md5sum
 md5sum -c --quiet dpkg_hash.md5sum
 echo $?
-```
+debsums
+```
+At least this gets you a step in front of someone.