1.17.1 Problem You can't use Tripwire for administrative or political reasons, but you want to snapshot your files for later comparison. You don't have enough disk space to mirror your files. 1.17.2 Solution Run a script like the following that stores pertinent information about each file of interest, such as checksum, inode number, and timestamp: #!/bin/sh for file do date=`/usr/bin/stat "$file" | /bin/grep '^Modify:' | /usr/bin/cut -f2- -d' '` sum=`/usr/bin/md5sum "$file" | /usr/bin/awk '{print $1}'` inode=`/bin/ls -id "$file" | /usr/bin/awk '{print $1}'` /bin/echo -e "$file\t$inode\t$sum\t$date" done Store this script as /usr/local/bin/idfile (for example). Use find to run this script on your important files, creating a snapshot. Store it on read-only media. Periodically create a new snapshot and compare the two with diff. This is not a production-quality integrity checker. It doesn't track file ownership or permissions. It checks only ordinary files, not directories, device special files, or symbolic links. Its tools (md5sum, stat, etc.) are not protected against tampering. 1.17.3 Discussion Run the idfile script to create a snapshot file: # find /dir -xdev -type f -print0 | \ xargs -0 -r /usr/local/bin/idfile > /tmp/my_snapshot This creates a snapshot file, basically a poor man's Tripwire database. /bin/arch 2222 7ba4330c353be9dd527e7eb46d27f923 Wed Aug 30 17:54:25 2000 /bin/ash 2194 cef0493419ea32a7e26eceff8e5dfa90 Wed Aug 30 17:40:11 2000 /bin/awk 2171 b5915e362f1a33b7ede6d7965a4611e4 Sat Feb 23 23:37:18 2002 ... Note that idfile will process /tmp/my_snapshot itself, which will almost certainly differ next time you snapshot. You can use grep -v to eliminate the /tmp/my_snapshot line from the output. Be aware of the important options and limitations of find. [Recipe 9.8] In preparation for running the idfile script later from CD-ROM, modify idfile so all commands are relative to /mnt/cdrom/bin: #!/mnt/cdrom/bin/sh BIN=/mnt/cdrom/bin for file do date=`$BIN/stat "$file" | $BIN/grep '^Modify:' | $BIN/cut -f2- -d' '` md5sum=`$BIN/sum "$file" | $BIN/awk '{print $1}'` inode=`$BIN/ls -id "$file" | $BIN/awk '{print $1}'` $BIN/echo -e "$file\t$inode\t$sum\t$date" doneBurn a CD-ROM with the following contents: | Directory | Files | | / | my_snapshot | | /bin | awk, cut, echo, diff, find, grep, ls, mdsum, sh, stat, xargs, idfile | Mount the CD-ROM at /mnt/cdrom. As needed, rerun the find and do a diff, using the binaries on the CD-ROM: #!/bin/sh BIN=/mnt/cdrom/bin $BIN/find /dir -xdev -type f -print0 | \ xargs -0 -r $BIN/idfile > /tmp/my_snapshot2 $BIN/diff /tmp/my_snapshot2 /mnt/cdrom/my_snapshot This approach is not production-quality; it has some major weaknesses: Creating the snapshot can be very slow, and creating new snapshots frequently may be cumbersome. It doesn't check some important attributes of a file, such as ownership and permissions. Tailor the idfile script to your needs. It checks only ordinary files, not directories, device special files, or symbolic links. By running ls, md5sum, and the other programs in sequence, you leave room for race conditions during the generation of the snapshot. A file could change between the invocations of two of these tools. If any of the executables are dynamically linked against libraries on the system, and these libraries are compromised, the binaries on the CD-ROM can theoretically be made to operate incorrectly. If the mount point /mnt/cdrom is compromised, your CD-ROM can be spoofed. 1.17.4 See Also find(1), diff(1). Use a real integrity checker if possible. If you can't use Tripwire, consider Aide (http://www.cs.tut.fi/~rammer/aide.html) or Samhain (http://la-samhna.de/samhain). |
