LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-04-2003, 12:53 PM   #1
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Rep: Reputation: 30
Critical system file's.


Hello!

I wrote a small script that run's from 'crond' that find's modified file's in my system every monday at 4:30 am. I would like to know what the critical system file's are to keep my system running at a very basic level so when my script run's i will be able to learn/check the most important file's. *hoping there arn't too many*

Thank you, Tarts.

Last edited by Tarts; 10-04-2003 at 12:54 PM.
 
Old 10-04-2003, 02:06 PM   #2
wapcaplet
Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
I think you may want to cut down on the apostrophes a little bit

As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.
 
Old 10-04-2003, 02:33 PM   #3
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by wapcaplet
I think you may want to cut down on the apostrophes a little bit
The sad truth that in my attempt at perfecting my writing style, i've gone completely overboard, making the reader sour and befuddled.

Quote:
As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.
I will take note of that, possibly see if i can make change's to my script to be aware of those directory's.

Thank's, Tarts.
 
Old 10-04-2003, 04:07 PM   #4
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Here is my script:

Code:
#!/bin/bash
#Check modification of files
#~To use, run 'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt      
DIRCACHE1=/var/log/usrsbin.txt    
TMP=/tmp.txt
TMP1=/tmp1.txt

find / -mtime 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4\
 | find / -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2 | find / -mtime 1\
 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $TMP && tree $USRSBIN > $TMP1
if ( ! cmp "$DIRCACHE" "$TMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." | wall
fi
if ( ! cmp "$DIRCACHE1" "$TMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check 'USRSBIN'." | wall
fi
if ( $GREP "$ETC" $MODTIME &> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." | wall
fi
rm $TMP $TMP1
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0
Kinda the same as tripwire, i was trying to write something to do the same.
Thank's.

Last edited by Tarts; 10-05-2003 at 05:10 PM.
 
Old 10-07-2003, 07:10 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.
 
Old 10-07-2003, 12:58 PM   #6
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by unSpawn
You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
Any advise on a command of some sort?



Quote:
Another quote from unSpawn
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.
Good idea, will implement!

Last edited by Tarts; 10-07-2003 at 12:59 PM.
 
Old 10-07-2003, 01:11 PM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.
 
Old 10-07-2003, 01:21 PM   #8
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by stickman
You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.
Got it, someone could just use 'touch' to make the modification time prior to 5 day's. I found a command called 'cksum', that should do it.

I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...

Thank's for the advise everyone.
 
Old 10-08-2003, 10:29 AM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by Tarts
I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.
 
Old 10-08-2003, 03:04 PM   #10
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by stickman
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.

Here is the "completed" script.:

Code:
#!/bin/bash
#Check modifications of files and changed directory's and checksums
##########################################################################
#to use, run~~~~'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'
#and~~~~~~~~~~~ 'cksum /sbin/* > /var/log/sbinCK.txt && cksum /usr/sbin/* > /var/log/usrsbinCK.txt'
##########################################################################
#I suggest you make sure you system is secure *before* you use this script, it also a good idea
#to keep a copy of the file's made above in a safe place such as on a floppy/cdrw.`
#To make it into a 'crond' job and have it run in interval's, 'man crond'.
#I put the script in '/etc/cron.weekly' and it run's on monday at 4:30 am.
###########################################################################

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
CKSUM=/usr/bin/cksum
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt
DIRCACHE1=/var/log/usrsbin.txt
CKSUMCACHE=/var/log/sbinCK.txt
CKSUMCACHE1=/var/log/usrsbinCK.txt
DIRTMP=/tmp.txt
DIRTMP1=/tmp1.txt
CKTMP=/tmp2.txt
CKTMP1=/tmp3.txt
WALL=/tmp4.txt

find / -mtime 7 -o -ctime 7 | find / -mtime 6 -o -ctime 6 | find / -mtime\
 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4 | find /  -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2\
 | find / -mtime 1 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $DIRTMP && tree $USRSBIN > $DIRTMP1
$CKSUM $SBIN/* > $CKTMP && $CKSUM $USRSBIN/* > $CKTMP1
if ( ! comm "$CKSUMCACHE" "$CKTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$SBIN'." > $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$SBIN'." > $WALL
fi
if ( ! comm "$CKSUMCACHE1" "$CKTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$USRSBIN'." >> $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$USRSBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE" "$DIRTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in critical system dir '$SBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE1" "$DIRTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$USRSBIN'." >> $WALL
else 
  echo "$HOSTNAME: There has been no change in critical system dir '$USRSBIN'." >> $WALL
fi
if ( $GREP "$ETC" $MODTIME 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in the configuration files in '$ETC'." >> $WALL
fi
wall $WALL
rm $DIRTMP $DIRTMP1 $CKTMP $CKTMP1 $WALL
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0
I think that cover's everything. My security strategy is the unexpected... In the grand scheme of thing's, who's expecting this?

Tarts.

Last edited by Tarts; 10-08-2003 at 03:30 PM.
 
Old 10-08-2003, 04:39 PM   #11
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by Tarts
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.
The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.
 
Old 10-08-2003, 07:44 PM   #12
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
\/ \/ \/ \/ \/ \/ \/ \/

Last edited by Tarts; 10-08-2003 at 07:49 PM.
 
Old 10-08-2003, 07:46 PM   #13
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by stickman
The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.
Your right stickman, I'll do that.

[mildly offtopic]
does any one how I can get 'cksum' to print all the directory's under '/etc' recursively?
Or any idea's about how to implement this with out doing every directory separately...

Thank's, Tarts.
[/mildly offtopic]
 
Old 10-09-2003, 08:46 AM   #14
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
You could use find:
find /etc -exec cksum {} \;
 
Old 10-09-2003, 09:17 AM   #15
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by stickman
You could use find:
find /etc -exec cksum {} \;
Great!

I could kiss you stickman! Thank's.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to clear a file's content? iclinux Linux - Newbie 7 03-30-2009 03:01 PM
Kernel Panic {not a critical system though} musicman_ace Linux - Distributions 2 03-13-2005 08:37 PM
Help! tar file's name is truncated auden Linux - Newbie 1 03-02-2005 10:09 PM
file's extension??? amanjsingh Linux - Newbie 2 04-17-2004 10:22 AM
How to modify a file's attribute in shell? Xiangbuilder Linux - Newbie 1 09-06-2003 07:18 AM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration