If an attacker gains root access to your system, one of the first things he is likely to do is alter or replace one or more programs with one of his own making to enable him to gain access again in the future, or to use for launching attacks against other systems.
There are commercial programs available to automate the process of checking files on your system to see if they have been changed, such as Tripwire (see the sidebar "Tools for Monitoring Your System"). You can perform this type of check yourself with the freely available md5sum program.
Using md5sum to check for file changes
Mac OS X doesn't come with md5sum , but md5sum does come with the Fink tool, described in Chapter 13, "Installing Software from Source Code." If you have installed Fink, then you have md5sum installed (as /sw/bin/md5sum ).
The md5sum program creates and reads something called a message digest or checksum . A message digest is a compact summary of a file that is guaranteed to be different for different files. It is sometimes called a fingerprint for a file. Although much smaller than the file it represents (only 32 characters long in the case of md5sum ), an MD5 message digest for a file is different if even a single character in the file is changed.
You use md5sum to create MD5 message digests for files before an attack occurs, and then to save the digests on a read-only discfor example, by putting the list of checksums on a CD.
You can then periodically use md5sum to compare the message digests with the actual files to see if any of the files have been changed since the checksums were created.
The following tasks assume that you have md5sum installed on your system and that it is in your PATH .
To create an MD5 checksum of a single file:
To save MD5 checksums for every file in a directory:
Remember that you can redirect output and append to (instead of overwrite) an existing file by using the >> operator instead of the > operator. (Review Chapter 2, "Using the Command Line.") With this technique, you can create one big file of checksums from several directories.
Save the file containing the checksums on a CD-ROM (or other read-only media). Then, once a month (or more often if you suspect mischief), insert the CD-ROM and use md5sum to check the files for changes. See the next task for instructions.
You should consider generating MD5 checksums for all the files in /etc and for every directory in your PATH (review Chapter 7, "Configuring Your Environment with Unix," for more on your PATH ) and also for the /Applications directory.
Once you have a file containing MD5 checksums, you can have md5sum use the file as a reference to see if any of the files in the list have changed.
Note that md5sum will tell you only if the file's contents have changed. It will not look for changes in permissions, ownership, or modification date (a file could have been edited and saved with no actual changes, which would have updated its modification time).
To use md5sum to check a list of files for changes:
Generate a file containing a list of MD5 checksums as described in the previous task.
For example, if you followed the instructions for the task above, you will have a file called checksums.txt and will have saved it on a CD-ROM.
For this task, we assume that the file containing the checksums is on a CD-ROM called "checksums" and that you have inserted the CD-ROM into your machine. The full path to the checksums.txt file is /Volumes/checksums/checksums.txt
Tools for Monitoring Your System
There are many tools for monitoring system security. A good place to find a general roundup of available tools is SecureMac.com, a Web site devoted entirely to Mac security issues (www.securemac.com). It has news, security alerts, and software downloads, as well as tutorials and articles on Mac security.
Here are some useful tools:
Snort is an open -source intrusion-detection system. Documentation and source code are available at Snort.org (www.snort.org).
ettercap is a packet-sniffer/logging program from Ettercap that can be installed using Fink (http://ettercap. sourceforge .net).
Swatch is a tool for automating the watching of system log files, written in Perl. The official Web site for swatch is http://swatch.sourceforge.net/.
Tripwire is a commercial security tool capable of monitoring hundreds (or even thousands) of servers. Although the current version (3.3) doesn't list Mac OS X as a supported platform, it does list FreeBSD 4.4. In any event, Tripwire is widely used in large Unix installations, so you should at least be aware of it (www.tripwire.com).
| | md5sum -c checksumfile
option runs md5sum
in "check" mode. The checksumfile
argument is the path to the file where you saved the checksum in step 1.
md5sum -c /Volumes/checksums/ checksums.txt md5sum
reads the checksumfile
, and for each file listed md5sum
generates a new checksum and compares it with the one you saved. (Figure 12.12 is an example of what the checksums.txt file might contain.)
If the checksums do not match or if the original file is not found, then md5sum
issues a warning.
If the checksums match, then md5sum
produces no output for that line and moves on to the next line. So even if md5sum
checks a thousand files, it will produce output only if a checksum doesn't match or if a file is missing. (This is an example of the Unix standard "Silence means success.") Figure 12.13
shows an example in which md5sum
finds that two files in the list have changed and one file from the list is missing.
Figure 12.13. Using md5sum to examine a list of files. Three changes are found: Two files have changed, and one is missing.
localhost:~ vanilla$ md5sum -c /Volumes/checksums/checksums.txt md5sum: MD5 check failed for '/etc/afpovertcp.cfg' md5sum: MD5 check failed for '/etc/httpd/users/vanilla.conf' md5sum: can't open /etc/ssh_config.applesaved3 localhost:~ vanilla$
To be really useful for detecting security problems, MD5 checksums need to be saved somewhere they cannot be altered by an attacker. This means copying the file containing the checksum to a read-only media, such as a CD-ROM.