Spying On Your File System

Sometimes it can be handy to keep track of changes in your file system. For example, you may have a stable system, with nothing changing except for the user data in /home and the usual logs and temporary files in /var and /tmp.

Or so you think. If someone compromised your system, he or she might replace scripts and programs anywhere in the system with ones that log passwords or provide back doors.

It might be helpful to have a couple of scripts on hand that will help you find changed files.

Tip

Mac OS X users will need to install the GNU textutils package to use these scripts, using the following Fink command in a Terminal window:
```
 sudo fink install textutils 
```

Code listing 3.5. The `spygen` script creates file signatures for the directories you specify.

 #!/bin/sh # # Record file signatures for future # comparison. # Edit the following lines to customize # this script for your needs. # Destination location for the file # signatures. DEST_DIR=/var/spy # Directories to take the signatures # from: SOURCE_DIRS="/bin /etc /lib /sbin /usr" # End of customization... ready to go! # Figure out which tool to use for # signatures, based on our OS. case $(uname) in     Linux | CYGWIN* | Darwin)         SIG_TOOL=sha1sum         ;;     FreeBSD)         SIG_TOOL="sha1 -r"         ;;     *)         echo Unknown system: $(uname)         exit 1 esac # Check to see if the DEST_DIR exists; if # not, create it. if [ ! -d $DEST_DIR ] ; then     echo Creating $DEST_DIR     mkdir -p $DEST_DIR fi # Loop through the SOURCE_DIRS and create # a duplicate directory structure, with # files containing signatures. for d in $SOURCE_DIRS ; do     if [ ! -d $d ] ; then         echo WARNING: skipping $d         continue     fi     for s in $(find $d -type d) ; do         if [ ! -d $DEST_DIR$s ] ; then             echo Creating $DEST_DIR$s             mkdir -p $DEST_DIR$s         fi     done     echo Creating signatures for $d     for f in $(find $d -type f) ; do         if [ -e $DEST_DIR$f ] ; then             rm -f $DEST_DIR$f         fi         $SIG_TOOL $f > $DEST_DIR$f     done done

To record file signatures

1.	Log in as `root`, use `su` to become `root`, or use `sudo` to edit and run this script.
2.	Using your favorite text editor, edit the `spygen` script (Code Listing 3.5) to customize the following values: `DEST_DIR` This directory (which will be created if it doesn't exist already) will contain the file signatures. The signatures are created in a mirror of the source directories and stored in files with names matching the original file. For example, if signatures are made for `/bin`, `$DEST_DIR/bin` will end up with a file named `sh` containing the signature for `/bin/sh`. `SOURCE_DIRS` A list of directories (note that you must enclose this list in double quotes) that will be included while creating signatures. If one of the `SOURCE_DIRS` doesn't exist during the scan, a warning is displayed.
3.	Save `spygen` and make it executable by adding the executable mode: chmod 700 spygen Mode `700` is "readable, writable, and executable by owner," which will keep other users from reading, modifying, or running the script.
4.	./`spygen` Run the script to create (or update) your file signatures.

To check file signatures

1.	Log in as `root`, use `su` to become `root`, or use `sudo` to edit and run this script.
2.	Using your favorite text editor, edit the `spycheck` script (Code Listing 3.6) to customize the following value: `DEST_DIR` The file signature directory. Set this to the same value as `DEST_DIR` in the `spygen` script.
3.	Save `spycheck` and make it executable by adding the executable mode: chmod 700 spycheck
4.	./`spycheck` Run the script to check the file signatures. If none of the files have been tampered with, no messages will be printed. If changes are detected, the file's full path and the word `FAILED` will be displayed.

Code listing 3.6. The `spycheck` script checks the signatures created by `spygen` against the files on your system.

 #!/bin/sh # # Check previously recorded file # signatures to help detect tampering. # Edit the following lines to customize # this script for your needs. # Destination location for the file # signatures. DEST_DIR=/var/spy # End of customization... ready to go! # Fake sha1 checking tool for FreeBSD, # which doesn't have a built-in method # for checking signatures. sha1checker() {     # Load existing signature.     sig="$(cat $1)"     # Extract the file name.     f=$(echo $sig | awk '{ print $2 }')     # Generate a sha1 signature for     # the existing file.     curr=$(sha1 -r $f)     if [ "$sig" = "$curr" ] ; then         echo $f: OK     else         echo $f: FAILED     fi } # Figure out which tool to use for # signatures, based on our OS. case $(uname) in     Linux | CYGWIN* | Darwin)         SIG_TOOL=sha1sum check         ;;     FreeBSD)         SIG_TOOL=sha1checker         ;;     *)         echo Unknown system: $(uname)         exit 1 esac # Go through the signatures in DEST_DIR # and compare them to the files on your # disk. for f in $(find $DEST_DIR -type f) ; do     $SIG_TOOL $f | egrep FAILED done

Code listing 3.5. The spygen script creates file signatures for the directories you specify.

To record file signatures

To check file signatures

Code listing 3.6. The spycheck script checks the signatures created by spygen against the files on your system.

Code listing 3.5. The `spygen` script creates file signatures for the directories you specify.

Code listing 3.6. The `spycheck` script checks the signatures created by `spygen` against the files on your system.