Spying On Your File System
Sometimes it can be handy to keep track of changes in your file system. For example, you may have a stable system, with nothing changing except for the user data in /home and the usual logs and temporary files in /var and /tmp.Or so you think. If someone compromised your system, he or she might replace scripts and programs anywhere in the system with ones that log passwords or provide back doors.It might be helpful to have a couple of scripts on hand that will help you find changed files. TipCode listing 3.5. The spygen script creates file signatures for the directories you specify.
#!/bin/sh
#
# Record file signatures for future
# comparison.
# Edit the following lines to customize
# this script for your needs.
# Destination location for the file
# signatures.
DEST_DIR=/var/spy
# Directories to take the signatures
# from:
SOURCE_DIRS="/bin /etc /lib /sbin /usr"
# End of customization... ready to go!
# Figure out which tool to use for
# signatures, based on our OS.
case $(uname) in
Linux | CYGWIN* | Darwin)
SIG_TOOL=sha1sum
;;
FreeBSD)
SIG_TOOL="sha1 -r"
;;
*)
echo Unknown system: $(uname)
exit 1
esac
# Check to see if the DEST_DIR exists; if
# not, create it.
if [ ! -d $DEST_DIR ] ; then
echo Creating $DEST_DIR
mkdir -p $DEST_DIR
fi
# Loop through the SOURCE_DIRS and create
# a duplicate directory structure, with
# files containing signatures.
for d in $SOURCE_DIRS ; do
if [ ! -d $d ] ; then
echo WARNING: skipping $d
continue
fi
for s in $(find $d -type d) ; do
if [ ! -d $DEST_DIR$s ] ; then
echo Creating $DEST_DIR$s
mkdir -p $DEST_DIR$s
fi
done
echo Creating signatures for $d
for f in $(find $d -type f) ; do
if [ -e $DEST_DIR$f ] ; then
rm -f $DEST_DIR$f
fi
$SIG_TOOL $f > $DEST_DIR$f
done
done
To record file signatures
| 1. | Log in as root, use su to become root, or use sudo to edit and run this script. | | 2. | Using your favorite text editor, edit the spygen script (Code Listing 3.5) to customize the following values:
DEST_DIR
This directory (which will be created if it doesn't exist already) will contain the file signatures. The signatures are created in a mirror of the source directories and stored in files with names matching the original file. For example, if signatures are made for /bin, $DEST_DIR/bin will end up with a file named sh containing the signature for /bin/sh.
SOURCE_DIRS
A list of directories (note that you must enclose this list in double quotes) that will be included while creating signatures. If one of the SOURCE_DIRS doesn't exist during the scan, a warning is displayed.
| | 3. | Save spygen and make it executable by adding the executable mode:
chmod 700 spygen
Mode 700 is "readable, writable, and executable by owner," which will keep other users from reading, modifying, or running the script. | | 4. | ./spygenRun the script to create (or update) your file signatures. |
To check file signatures
| 1. | Log in as root, use su to become root, or use sudo to edit and run this script. | | 2. | Using your favorite text editor, edit the spycheck script (Code Listing 3.6) to customize the following value:
DEST_DIR
The file signature directory. Set this to the same value as DEST_DIR in the spygen script.
| | 3. | Save spycheck and make it executable by adding the executable mode:
chmod 700 spycheck
| | 4. | ./spycheckRun the script to check the file signatures. If none of the files have been tampered with, no messages will be printed. If changes are detected, the file's full path and the word FAILED will be displayed. |
Code listing 3.6. The spycheck script checks the signatures created by spygen against the files on your system.
#!/bin/sh
#
# Check previously recorded file
# signatures to help detect tampering.
# Edit the following lines to customize
# this script for your needs.
# Destination location for the file
# signatures.
DEST_DIR=/var/spy
# End of customization... ready to go!
# Fake sha1 checking tool for FreeBSD,
# which doesn't have a built-in method
# for checking signatures.
sha1checker() {
# Load existing signature.
sig="$(cat $1)"
# Extract the file name.
f=$(echo $sig | awk '{ print $2 }')
# Generate a sha1 signature for
# the existing file.
curr=$(sha1 -r $f)
if [ "$sig" = "$curr" ] ; then
echo $f: OK
else
echo $f: FAILED
fi
}
# Figure out which tool to use for
# signatures, based on our OS.
case $(uname) in
Linux | CYGWIN* | Darwin)
SIG_TOOL=sha1sum check
;;
FreeBSD)
SIG_TOOL=sha1checker
;;
*)
echo Unknown system: $(uname)
exit 1
esac
# Go through the signatures in DEST_DIR
# and compare them to the files on your
# disk.
for f in $(find $DEST_DIR -type f) ; do
$SIG_TOOL $f | egrep FAILED
done
 |
لطفا منتظر باشید ...
