问题
For a cyber security competition I participate in, I'm given a Debian virtual machine with many packages installed and asked to clean extraneous or malicious packages.
In the past, I've used dpkg -l | grep [searchterm] and a list of common packages to preform this task. However, this is extremely inefficient and time-consuming.
To speed up my task, is there any way to search through the list of packages installed on a system for which processes have been installed by a user and are not system "default" packages?
回答1:
This command may shorten your work:
apt-mark showmanual
It is supposed to show what packages were installed "manually". It is not 100% reliable though, as many automatically installed packages are flagged as manually installed (because of reasons too long to describe here).
You may also (if allowed) run security tools such as clamav and/or rkhunter to scan your computer for malicious programs.
回答2:
Below is a line from a "health" script I run on my desktop every night. Besides gathering information from sensors, network usage, HDD temperature, etc. it also gets a list of all the software I've installed manually from the command line.
I'm running Kubuntu 14.04.5 (Trusty) at the moment and I don't know the details of any differences between Ubuntu and Debian's package management but hopefully this will work for you as well as it does for me.
( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon | egrep '^Commandline:' | egrep 'install' 1>>installed_packages.txt
回答3:
This takes into account also packages installed with aptitude (not only apt install or apt-get install, like Benny Hill's answer which I based on):
( ( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon ; ( zcat $( ls -tr /var/log/aptitude.*.gz ) ; cat /var/log/aptitude ) ) | egrep '^Commandline:.*install|^\[INSTALL\]' | sed 's#Commandline: ##' | awk '/INSTALL/ { print $2 }; !/INSTALL/ { print $0 }; ' 1>installed_packages.txt
Example output (the last line comes from aptitude logs):
apt-get install nodejs
apt install tidy
mc:amd64
回答4:
All Packages
Most all the code that I found for this question used a search from the history log:
$ cat /var/log/apt/history.log | grep 'apt-get install '
or listed all Debian Packages installed on the machine:
$ dpkg --get-selections
Manually Installed
I found the above answers to be inadequate as my history log was incomplete and I didn't want to do the work to separate built-in packages with manually installed packages. However, this solution did the trick of showing only manually initiated installed packages. This one uses the log: /var/log/dpkg.log, and it should be executed as a bash script.
#!/usr/bin/env bash
parse_dpkg_log() {
{
for FN in `ls -1 /var/log/dpkg.log*` ; do
CMD="cat"
[ ${FN##*.} == "gz" ] && CMD="zcat"
$CMD $FN | egrep "[0-9] install" | awk '{print $4}' \
| awk -F":" '{print $1}'
done
} | sort | uniq
}
list_installed=$(parse_dpkg_log)
list_manual=$(apt-mark showmanual | sort)
comm -12 <(echo "$list_installed") <(echo "$list_manual")
I found the code here: https://gist.github.com/UniIsland/8878469
回答5:
You may also look at the file /var/lib/apt/extended_states.
cat /var/lib/apt/extended_states | grep -B2 'Auto-Installed: 0'
This is useful if you want to know what was installed on an old partition.
回答6:
I dont know if it's possible to distiguich between user installation and default package installation, because the only way to install package is to have ROOT privillages. but you cat get all package installed and their status in one file by executing this command
dpkg --get-selections > installed_packages.txt
回答7:
An older question but a solution I came up with after finding this and a couple of other questions for a slightly different task. Trying to keep up to date a list of installed packages for system rebuilds. I found the following works pretty well:
comm -12 <(apt list --installed 2> /dev/null | cut -d '/' -f 1 | sort) <(history | grep -e "apt\(-get\)\? install" | grep -v -e "grep -e" | grep -v "./" | cut -d ' ' -f10 | sort)
This takes the list of all installed packages and compares to the history for packages being installed.
I'm assuming that packages are not being installed by evil actors trying to hide their tracks. Also a slightly nasty command apt list in a script however it does seem to work for now.
来源:https://stackoverflow.com/questions/41007182/debian-listing-all-user-installed-packages