|
Sometimes it can be handy to keep track of changes in your file system. For example, you may have a stable system, with nothing changing except for the user data in /home and the usual logs and temporary files in /var and /tmp. Or so you think. If someone compromised your system, he or she might replace scripts and programs anywhere in the system with ones that log passwords or provide back doors. It might be helpful to have a couple of scripts on hand that will help you find changed files. Tip
Code listing 3.5. The spygen script creates file signatures for the directories you specify.#!/bin/sh # # Record file signatures for future # comparison. # Edit the following lines to customize # this script for your needs. # Destination location for the file # signatures. DEST_DIR=/var/spy # Directories to take the signatures # from: SOURCE_DIRS="/bin /etc /lib /sbin /usr" # End of customization... ready to go! # Figure out which tool to use for # signatures, based on our OS. case $(uname) in Linux | CYGWIN* | Darwin) SIG_TOOL=sha1sum ;; FreeBSD) SIG_TOOL="sha1 -r" ;; *) echo Unknown system: $(uname) exit 1 esac # Check to see if the DEST_DIR exists; if # not, create it. if [ ! -d $DEST_DIR ] ; then echo Creating $DEST_DIR mkdir -p $DEST_DIR fi # Loop through the SOURCE_DIRS and create # a duplicate directory structure, with # files containing signatures. for d in $SOURCE_DIRS ; do if [ ! -d $d ] ; then echo WARNING: skipping $d continue fi for s in $(find $d -type d) ; do if [ ! -d $DEST_DIR$s ] ; then echo Creating $DEST_DIR$s mkdir -p $DEST_DIR$s fi done echo Creating signatures for $d for f in $(find $d -type f) ; do if [ -e $DEST_DIR$f ] ; then rm -f $DEST_DIR$f fi $SIG_TOOL $f > $DEST_DIR$f done done To record file signatures
To check file signatures
Code listing 3.6. The spycheck script checks the signatures created by spygen against the files on your system.#!/bin/sh # # Check previously recorded file # signatures to help detect tampering. # Edit the following lines to customize # this script for your needs. # Destination location for the file # signatures. DEST_DIR=/var/spy # End of customization... ready to go! # Fake sha1 checking tool for FreeBSD, # which doesn't have a built-in method # for checking signatures. sha1checker() { # Load existing signature. sig="$(cat $1)" # Extract the file name. f=$(echo $sig | awk '{ print $2 }') # Generate a sha1 signature for # the existing file. curr=$(sha1 -r $f) if [ "$sig" = "$curr" ] ; then echo $f: OK else echo $f: FAILED fi } # Figure out which tool to use for # signatures, based on our OS. case $(uname) in Linux | CYGWIN* | Darwin) SIG_TOOL=sha1sum check ;; FreeBSD) SIG_TOOL=sha1checker ;; *) echo Unknown system: $(uname) exit 1 esac # Go through the signatures in DEST_DIR # and compare them to the files on your # disk. for f in $(find $DEST_DIR -type f) ; do $SIG_TOOL $f | egrep FAILED done |
|