The Nextcloud console (occ) includes a command to manually initiate a code signature check of installed apps or Nextcloud core.
A scan can be triggered using the following commands:
occ integrity:check-core (check that the signatures of all files included with a stock Nextcloud installation match the hashes specified in signatures.json)
occ integrity:check-app <app_id> (ditto, but for installed apps - this only works with apps marked “Featured” or have opted-in to code signing)
If one of the files being scanned does not match the expected code signature, occ will return a non-zero exit code - this lets us integrate the command into a Bash script.
Different courses of action can be taken depending on the result of the integrity scan - for example, you could configure your script to shut down PHP-FPM if occ detects that core files have been tampered with. This could protect against further data exfiltration in the event that the webserver is compromised.
The following is a script that does exactly as described above:
#!/bin/bash
# This script verifies the code signature of the Nextcloud installation
# If any of the components below fail verification, shutdown PHP-FPM and stop serving web requests.
sudo -u www-data /usr/bin/php -f /var/www/html/occ integrity:check-core || /usr/sbin/service php8.0-fpm stop
sudo -u www-data /usr/bin/php -f /var/www/html/occ integrity:check-app passwords || /usr/sbin/service php8.0-fpm stop
sudo -u www-data /usr/bin/php -f /var/www/html/occ integrity:check-app files || /usr/sbin/service php8.0-fpm stop
sudo -u www-data /usr/bin/php -f /var/www/html/occ integrity:check-app encryption || /usr/sbin/service php8.0-fpm stop
The script could also trigger an email alert using sendmail or call a webhook.
Note that the integrity check also scans for files that have been removed or added - if you have a habit of dropping arbitrary content into your docroot, this will cause the scan to fail.
Once you’ve written the script, it should be installed into the user’s crontab so that scans are initiated at regular intervals. The scanning process is resource heavy, so you might want to limit the number of scans per day if your server is not particularly powerful to avoid slowdowns.