Critical system file's.

Tarts · 10-04-2003, 11:53 AM

Hello!

I wrote a small script that run's from 'crond' that find's modified file's in my system every monday at 4:30 am. I would like to know what the critical system file's are to keep my system running at a very basic level so when my script run's i will be able to learn/check the most important file's. *hoping there arn't too many*

Thank you, Tarts.

wapcaplet · 10-04-2003, 01:06 PM

I think you may want to cut down on the apostrophes a little bit

As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.

Tarts · 10-04-2003, 01:33 PM

Quote:

Originally posted by wapcaplet
I think you may want to cut down on the apostrophes a little bit

The sad truth that in my attempt at perfecting my writing style, i've gone completely overboard, making the reader sour and befuddled.

Quote:

As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.

I will take note of that, possibly see if i can make change's to my script to be aware of those directory's.

Thank's, Tarts.

Tarts · 10-04-2003, 03:07 PM

Here is my script:

Code:

#!/bin/bash
#Check modification of files
#~To use, run 'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt      
DIRCACHE1=/var/log/usrsbin.txt    
TMP=/tmp.txt
TMP1=/tmp1.txt

find / -mtime 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4\
 | find / -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2 | find / -mtime 1\
 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $TMP && tree $USRSBIN > $TMP1
if ( ! cmp "$DIRCACHE" "$TMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." | wall
fi
if ( ! cmp "$DIRCACHE1" "$TMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check 'USRSBIN'." | wall
fi
if ( $GREP "$ETC" $MODTIME &> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." | wall
fi
rm $TMP $TMP1
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0

Kinda the same as tripwire, i was trying to write something to do the same.
Thank's.

unSpawn · 10-07-2003, 06:10 AM

You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.

Tarts · 10-07-2003, 11:58 AM

Quote:

Originally posted by unSpawn
You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.

Any advise on a command of some sort?

Quote:

Another quote from unSpawn
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.

Good idea, will implement!

stickman · 10-07-2003, 12:11 PM

You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.

Tarts · 10-07-2003, 12:21 PM

Quote:

Originally posted by stickman
You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.

Got it, someone could just use 'touch' to make the modification time prior to 5 day's. I found a command called 'cksum', that should do it.

I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...

Thank's for the advise everyone.

stickman · 10-08-2003, 09:29 AM

Quote:

Originally posted by Tarts
I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...

Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.

Tarts · 10-08-2003, 02:04 PM

Quote:

Originally posted by stickman
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.

How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.

Here is the "completed" script.:

Code:

#!/bin/bash
#Check modifications of files and changed directory's and checksums
##########################################################################
#to use, run~~~~'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'
#and~~~~~~~~~~~ 'cksum /sbin/* > /var/log/sbinCK.txt && cksum /usr/sbin/* > /var/log/usrsbinCK.txt'
##########################################################################
#I suggest you make sure you system is secure *before* you use this script, it also a good idea
#to keep a copy of the file's made above in a safe place such as on a floppy/cdrw.`
#To make it into a 'crond' job and have it run in interval's, 'man crond'.
#I put the script in '/etc/cron.weekly' and it run's on monday at 4:30 am.
###########################################################################

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
CKSUM=/usr/bin/cksum
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt
DIRCACHE1=/var/log/usrsbin.txt
CKSUMCACHE=/var/log/sbinCK.txt
CKSUMCACHE1=/var/log/usrsbinCK.txt
DIRTMP=/tmp.txt
DIRTMP1=/tmp1.txt
CKTMP=/tmp2.txt
CKTMP1=/tmp3.txt
WALL=/tmp4.txt

find / -mtime 7 -o -ctime 7 | find / -mtime 6 -o -ctime 6 | find / -mtime\
 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4 | find /  -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2\
 | find / -mtime 1 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $DIRTMP && tree $USRSBIN > $DIRTMP1
$CKSUM $SBIN/* > $CKTMP && $CKSUM $USRSBIN/* > $CKTMP1
if ( ! comm "$CKSUMCACHE" "$CKTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$SBIN'." > $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$SBIN'." > $WALL
fi
if ( ! comm "$CKSUMCACHE1" "$CKTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$USRSBIN'." >> $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$USRSBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE" "$DIRTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in critical system dir '$SBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE1" "$DIRTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$USRSBIN'." >> $WALL
else 
  echo "$HOSTNAME: There has been no change in critical system dir '$USRSBIN'." >> $WALL
fi
if ( $GREP "$ETC" $MODTIME 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in the configuration files in '$ETC'." >> $WALL
fi
wall $WALL
rm $DIRTMP $DIRTMP1 $CKTMP $CKTMP1 $WALL
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0

I think that cover's everything. My security strategy is the unexpected... In the grand scheme of thing's, who's expecting this?

Tarts.

stickman · 10-08-2003, 03:39 PM

Quote:

Originally posted by Tarts
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.

The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.

Tarts · 10-08-2003, 06:44 PM

\/ \/ \/ \/ \/ \/ \/ \/

Tarts · 10-08-2003, 06:46 PM

Quote:

Originally posted by stickman
The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.

Your right stickman, I'll do that.

[mildly offtopic]
does any one how I can get 'cksum' to print all the directory's under '/etc' recursively?
Or any idea's about how to implement this with out doing every directory separately...

Thank's, Tarts.
[/mildly offtopic]

stickman · 10-09-2003, 07:46 AM

You could use find:
find /etc -exec cksum {} \;

Tarts · 10-09-2003, 08:17 AM

Quote:

Originally posted by stickman
You could use find:
find /etc -exec cksum {} \;

Great!

I could kiss you stickman! Thank's.