LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Critical system file's. (http://www.linuxquestions.org/questions/linux-security-4/critical-system-files-100167/)

Tarts 10-04-2003 11:53 AM

Critical system file's.
 
Hello!

I wrote a small script that run's from 'crond' that find's modified file's in my system every monday at 4:30 am. I would like to know what the critical system file's are to keep my system running at a very basic level so when my script run's i will be able to learn/check the most important file's. *hoping there arn't too many*

Thank you, Tarts.

wapcaplet 10-04-2003 01:06 PM

I think you may want to cut down on the apostrophes a little bit :)

As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.

Tarts 10-04-2003 01:33 PM

Quote:

Originally posted by wapcaplet
I think you may want to cut down on the apostrophes a little bit :)
The sad truth that in my attempt at perfecting my writing style, i've gone completely overboard, making the reader sour and befuddled. :D

Quote:

As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.
I will take note of that, possibly see if i can make change's to my script to be aware of those directory's.

Thank's, Tarts.

Tarts 10-04-2003 03:07 PM

Here is my script:

Code:

#!/bin/bash
#Check modification of files
#~To use, run 'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt     
DIRCACHE1=/var/log/usrsbin.txt   
TMP=/tmp.txt
TMP1=/tmp1.txt

find / -mtime 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4\
 | find / -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2 | find / -mtime 1\
 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $TMP && tree $USRSBIN > $TMP1
if ( ! cmp "$DIRCACHE" "$TMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." | wall
fi
if ( ! cmp "$DIRCACHE1" "$TMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check 'USRSBIN'." | wall
fi
if ( $GREP "$ETC" $MODTIME &> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." | wall
fi
rm $TMP $TMP1
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0

Kinda the same as tripwire, i was trying to write something to do the same.
Thank's.

unSpawn 10-07-2003 06:10 AM

You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.

Tarts 10-07-2003 11:58 AM

Quote:

Originally posted by unSpawn
You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
Any advise on a command of some sort?



Quote:

Another quote from unSpawn
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.

Good idea, will implement! :)

stickman 10-07-2003 12:11 PM

You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.

Tarts 10-07-2003 12:21 PM

Quote:

Originally posted by stickman
You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.
Got it, someone could just use 'touch' to make the modification time prior to 5 day's. I found a command called 'cksum', that should do it.

I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...

Thank's for the advise everyone.

stickman 10-08-2003 09:29 AM

Quote:

Originally posted by Tarts
I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.

Tarts 10-08-2003 02:04 PM

Quote:

Originally posted by stickman
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup. :)

Here is the "completed" script.:

Code:

#!/bin/bash
#Check modifications of files and changed directory's and checksums
##########################################################################
#to use, run~~~~'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'
#and~~~~~~~~~~~ 'cksum /sbin/* > /var/log/sbinCK.txt && cksum /usr/sbin/* > /var/log/usrsbinCK.txt'
##########################################################################
#I suggest you make sure you system is secure *before* you use this script, it also a good idea
#to keep a copy of the file's made above in a safe place such as on a floppy/cdrw.`
#To make it into a 'crond' job and have it run in interval's, 'man crond'.
#I put the script in '/etc/cron.weekly' and it run's on monday at 4:30 am.
###########################################################################

MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
CKSUM=/usr/bin/cksum
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt
DIRCACHE1=/var/log/usrsbin.txt
CKSUMCACHE=/var/log/sbinCK.txt
CKSUMCACHE1=/var/log/usrsbinCK.txt
DIRTMP=/tmp.txt
DIRTMP1=/tmp1.txt
CKTMP=/tmp2.txt
CKTMP1=/tmp3.txt
WALL=/tmp4.txt

find / -mtime 7 -o -ctime 7 | find / -mtime 6 -o -ctime 6 | find / -mtime\
 5 -o -ctime 5 | find / -mtime 4 -o -ctime 4 | find /  -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2\
 | find / -mtime 1 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $DIRTMP && tree $USRSBIN > $DIRTMP1
$CKSUM $SBIN/* > $CKTMP && $CKSUM $USRSBIN/* > $CKTMP1
if ( ! comm "$CKSUMCACHE" "$CKTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$SBIN'." > $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$SBIN'." > $WALL
fi
if ( ! comm "$CKSUMCACHE1" "$CKTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been an altered binary: Check '$USRSBIN'." >> $WALL
else
  echo "$HOSTNAME: There is no altered binary in '$USRSBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE" "$DIRTMP" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in critical system dir '$SBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE1" "$DIRTMP1" 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$USRSBIN'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in critical system dir '$USRSBIN'." >> $WALL
fi
if ( $GREP "$ETC" $MODTIME 1> /dev/null ); then
  echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." >> $WALL
else
  echo "$HOSTNAME: There has been no change in the configuration files in '$ETC'." >> $WALL
fi
wall $WALL
rm $DIRTMP $DIRTMP1 $CKTMP $CKTMP1 $WALL
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0

I think that cover's everything. My security strategy is the unexpected... In the grand scheme of thing's, who's expecting this?

Tarts.

stickman 10-08-2003 03:39 PM

Quote:

Originally posted by Tarts
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup. :)

The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.

Tarts 10-08-2003 06:44 PM

\/ \/ \/ \/ \/ \/ \/ \/

Tarts 10-08-2003 06:46 PM

Quote:

Originally posted by stickman
The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.
Your right stickman, I'll do that.

[mildly offtopic]
does any one how I can get 'cksum' to print all the directory's under '/etc' recursively?
Or any idea's about how to implement this with out doing every directory separately...

Thank's, Tarts.
[/mildly offtopic]

stickman 10-09-2003 07:46 AM

You could use find:
find /etc -exec cksum {} \;

Tarts 10-09-2003 08:17 AM

Quote:

Originally posted by stickman
You could use find:
find /etc -exec cksum {} \;

Great!

I could kiss you stickman! Thank's. :)


All times are GMT -5. The time now is 11:15 AM.