Monitoring Files for Changes

If an attacker gains root access to your system, one of the first things he is likely to do is alter or replace one or more programs with one of his own making to enable him to gain access again in the future, or to use for launching attacks against other systems.

There are commercial programs available to automate the process of checking files on your system to see if they have been changed, such as Tripwire (see the sidebar "Tools for Monitoring Your System"). You can perform this type of check yourself with the freely available md5sum program.

Using md5sum to check for file changes

Mac OS X doesn't come with md5sum , but md5sum does come with the Fink tool, described in Chapter 13, "Installing Software from Source Code." If you have installed Fink, then you have md5sum installed (as /sw/bin/md5sum ).

The md5sum program creates and reads something called a message digest or checksum . A message digest is a compact summary of a file that is guaranteed to be different for different files. It is sometimes called a fingerprint for a file. Although much smaller than the file it represents (only 32 characters long in the case of md5sum ), an MD5 message digest for a file is different if even a single character in the file is changed.

You use md5sum to create MD5 message digests for files before an attack occurs, and then to save the digests on a read-only discfor example, by putting the list of checksums on a CD.

You can then periodically use md5sum to compare the message digests with the actual files to see if any of the files have been changed since the checksums were created.

The following tasks assume that you have md5sum installed on your system and that it is in your PATH .

To create an MD5 checksum of a single file:

  • md5sum file

    For example,

    md5sum /bin/ps

    generates an MD5 checksum of the file /bin/ps (which is a setuid root program; finding programs that are setuid root is covered earlier in this chapter).

    The output from md5sum is a single line showing the checksum and the file path it was generated from. For example,

     aa37faf342591346cf6c7bd661bdc42c  /bin/ps 


  • It is best to use a full path when creating an MD5 checksum if you are going to save the checksum for later use (see the next task). If you use a relative path, you will need to be in the same current directory when you check the file later as you did when you created the checksum.

To save MD5 checksums for every file in a directory:

  • sudo find -L path -type f -print0

    xargs -0 sudo md5sum > checksums.txt

    This creates a file (checksums.txt) containing an MD5 checksum for every file inside the path directory. For example, if path is /etc , then the checksums.txt file will contain message digests for every file in /etc . Figure 12.12 shows a portion of that file.

    Figure 12.12. Partial list of MD5 checksums generated with sudo find -L /etc -type f -print0 xargs -0 sudo md5sum > checksums.txt .
     e55afe6e88abb09f0bee39549f1dfbbd  /etc/afpovertcp.cfg 2853942e1130c71462ceb0e14298005c  /etc/aliases 223e4dc957db876a4ba062d27cd80de2  /etc/aliases.db 6d0bb903a21cb10ae7d4ea7480caf770  /etc/appletalk.cfg 6c7ea61072ab60ee211a3b6b227e1c08  /etc/authorization 03e795153c4d2989a905c564054a367a  /etc/bashrc 670137f7b27cea11f82d494f6a38b869  /etc/crontab 5ac352c94e115a608aaea5e92598793d  /etc/csh.cshrc 4e8f734718af35186084e88c59ac2536  /etc/csh.login a78abc32d5d5f6967f46106879ff8406  /etc/csh.logout 7b5c15f3d613b148cb883d8795dcef4a  /etc/daily e5f2ad07e4bc451fb6ccb3107aac248e  /etc/group 5889556f9dd9e9b551d19195dfefc6d6  /etc/hostconfig e798bde840c94334378c9080e55317c3  /etc/hostconfig.system_default b4f013ca7bf96a709438817f6440d974  /etc/httpd/httpd.conf 966328a6348ea217d93c7d627dff6330  /etc/httpd/magic 81d6686ca86c74b4afc93fac359f544c  /etc/httpd/mime.types 2ddb6e29cf197be5cee45c4869e5c4a9  /etc/httpd/users/matisse.conf 3ab54679c8551eefb72205bdafa83912  /etc/httpd/users/vanilla.conf d406d67cc38e0a4ca473d015bfb58e50  /etc/ssh_config d406d67cc38e0a4ca473d015bfb58e50  /etc/ssh_config.applesaved d406d67cc38e0a4ca473d015bfb58e50  /etc/ssh_config.applesaved2 d406d67cc38e0a4ca473d015bfb58e50  /etc/ssh_config.applesaved3 

    Here we use the /etc directory as an example, but it should be clear that you can use the same technique for any directory on the system. Simply replace /etc with another directory name .

    Review the find command in Chapter 4. We use the -L option to find (follow symbolic links) because the /etc directory is actually a symbolic link to /private/etc (a Mac OS X peculiarity).


  • Remember that you can redirect output and append to (instead of overwrite) an existing file by using the >> operator instead of the > operator. (Review Chapter 2, "Using the Command Line.") With this technique, you can create one big file of checksums from several directories.

  • Save the file containing the checksums on a CD-ROM (or other read-only media). Then, once a month (or more often if you suspect mischief), insert the CD-ROM and use md5sum to check the files for changes. See the next task for instructions.

  • You should consider generating MD5 checksums for all the files in /etc and for every directory in your PATH (review Chapter 7, "Configuring Your Environment with Unix," for more on your PATH ) and also for the /Applications directory.

Once you have a file containing MD5 checksums, you can have md5sum use the file as a reference to see if any of the files in the list have changed.

Note that md5sum will tell you only if the file's contents have changed. It will not look for changes in permissions, ownership, or modification date (a file could have been edited and saved with no actual changes, which would have updated its modification time).

To use md5sum to check a list of files for changes:

Generate a file containing a list of MD5 checksums as described in the previous task.

For example, if you followed the instructions for the task above, you will have a file called checksums.txt and will have saved it on a CD-ROM.

For this task, we assume that the file containing the checksums is on a CD-ROM called "checksums" and that you have inserted the CD-ROM into your machine. The full path to the checksums.txt file is


Tools for Monitoring Your System

There are many tools for monitoring system security. A good place to find a general roundup of available tools is, a Web site devoted entirely to Mac security issues ( It has news, security alerts, and software downloads, as well as tutorials and articles on Mac security.

Here are some useful tools:

Snort is an open -source intrusion-detection system. Documentation and source code are available at (

ettercap is a packet-sniffer/logging program from Ettercap that can be installed using Fink (http://ettercap. sourceforge .net).

Swatch is a tool for automating the watching of system log files, written in Perl. The official Web site for swatch is

Tripwire is a commercial security tool capable of monitoring hundreds (or even thousands) of servers. Although the current version (3.3) doesn't list Mac OS X as a supported platform, it does list FreeBSD 4.4. In any event, Tripwire is widely used in large Unix installations, so you should at least be aware of it (

md5sum -c checksumfile

The -c option runs md5sum in "check" mode. The checksumfile argument is the path to the file where you saved the checksum in step 1.

For example,

 md5sum -c /Volumes/checksums/  checksums.txt 

md5sum reads the checksumfile , and for each file listed md5sum generates a new checksum and compares it with the one you saved. (Figure 12.12 is an example of what the checksums.txt file might contain.)

If the checksums do not match or if the original file is not found, then md5sum issues a warning.

If the checksums match, then md5sum produces no output for that line and moves on to the next line. So even if md5sum checks a thousand files, it will produce output only if a checksum doesn't match or if a file is missing. (This is an example of the Unix standard "Silence means success.")

Figure 12.13 shows an example in which md5sum finds that two files in the list have changed and one file from the list is missing.

Figure 12.13. Using md5sum to examine a list of files. Three changes are found: Two files have changed, and one is missing.
 localhost:~ vanilla$  md5sum -c /Volumes/checksums/checksums.txt  md5sum: MD5 check failed for '/etc/afpovertcp.cfg' md5sum: MD5 check failed for '/etc/httpd/users/vanilla.conf' md5sum: can't open /etc/ssh_config.applesaved3 localhost:~ vanilla$ 


  • To be really useful for detecting security problems, MD5 checksums need to be saved somewhere they cannot be altered by an attacker. This means copying the file containing the checksum to a read-only media, such as a CD-ROM.

Unix for Mac OS X 10. 4 Tiger. Visual QuickPro Guide
Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)
ISBN: 0321246683
EAN: 2147483647
Year: 2004
Pages: 161
Authors: Matisse Enzer

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: