لطفا منتظر باشید ...
Recipe 1.17 Integrity Checking Manually
1.17.1 Problem
You can't use
Tripwire for administrative or political reasons, but you want to
snapshot your files for later comparison. You don't
have enough disk space to mirror your files.
1.17.2 Solution
Run a script like the following that stores pertinent information
about each file of interest, such as checksum, inode number, and
timestamp:
#!/bin/sh
for file
do
date=`/usr/bin/stat "$file" | /bin/grep '^Modify:' | /usr/bin/cut -f2- -d' '`
sum=`/usr/bin/md5sum "$file" | /usr/bin/awk '{print $1}'`
inode=`/bin/ls -id "$file" | /usr/bin/awk '{print $1}'`
/bin/echo -e "$file\t$inode\t$sum\t$date"
done
Store this script as /usr/local/bin/idfile (for
example). Use find to run this script on your important
files, creating a snapshot. Store it on read-only media. Periodically
create a new snapshot and compare the two with
diff.This is not a production-quality integrity checker. It
doesn't track file ownership or
permissions.
It checks only ordinary files, not
directories, device special files, or
symbolic links. Its tools (md5sum,
stat, etc.) are not protected against tampering.
1.17.3 Discussion
- Run the idfile script to create a
snapshot file:# find /dir -xdev -type f -print0 | \
This creates a snapshot file, basically a poor man's
xargs -0 -r /usr/local/bin/idfile > /tmp/my_snapshot
Tripwire database./bin/arch 2222 7ba4330c353be9dd527e7eb46d27f923 Wed Aug 30 17:54:25 2000
Note that idfile will process
/bin/ash 2194 cef0493419ea32a7e26eceff8e5dfa90 Wed Aug 30 17:40:11 2000
/bin/awk 2171 b5915e362f1a33b7ede6d7965a4611e4 Sat Feb 23 23:37:18 2002
...
/tmp/my_snapshot itself, which will almost
certainly differ next time you snapshot. You can use grep
-v to eliminate the /tmp/my_snapshot
line from the output.Be aware of the important options and limitations of
find. [Recipe 9.8] - In preparation for running the idfile script later
from CD-ROM, modify idfile so all commands are
relative to /mnt/cdrom/bin:#!/mnt/cdrom/bin/sh
BIN=/mnt/cdrom/bin
for file
do
date=`$BIN/stat "$file" | $BIN/grep '^Modify:' | $BIN/cut -f2- -d' '`
md5sum=`$BIN/sum "$file" | $BIN/awk '{print $1}'`
inode=`$BIN/ls -id "$file" | $BIN/awk '{print $1}'`
$BIN/echo -e "$file\t$inode\t$sum\t$date"
done - Burn a CD-ROM with the following contents:
Directory
Files
/my_snapshot
/binawk, cut, echo, diff, find, grep, ls, mdsum, sh, stat, xargs, idfile
- Mount the CD-ROM at /mnt/cdrom.
- As needed, rerun the find and do a
diff, using the binaries on the CD-ROM:#!/bin/sh
BIN=/mnt/cdrom/bin
$BIN/find /dir -xdev -type f -print0 | xargs -0 -r $BIN/idfile > /tmp/my_snapshot2
$BIN/diff /tmp/my_snapshot2 /mnt/cdrom/my_snapshot
This approach is not production-quality; it has some major weaknesses:
- Creating the snapshot can be very slow, and creating new snapshots
frequently may be cumbersome. - It doesn't check some important attributes of a
file, such as ownership and permissions. Tailor the
idfile script to your needs. - It checks only ordinary files, not directories, device special files,
or symbolic links. - By running ls, md5sum, and the
other programs in sequence, you leave room for
race conditions during the generation
of the snapshot. A file could change between the invocations of two
of these tools. - If any of the
executables are
dynamically linked against libraries on the system, and these
libraries are compromised, the binaries on the CD-ROM can
theoretically be made to operate incorrectly. - If the mount point /mnt/cdrom is compromised,
your CD-ROM can be spoofed.
1.17.4 See Also
find(1), diff(1). Use a real integrity checker if possible. If you
can't use Tripwire, consider Aide (http://www.cs.tut.fi/~rammer/aidel) or
Samhain
(http://la-samhna.de/samhain).
