Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wrote a small script that run's from 'crond' that find's modified file's in my system every monday at 4:30 am. I would like to know what the critical system file's are to keep my system running at a very basic level so when my script run's i will be able to learn/check the most important file's. *hoping there arn't too many*
I think you may want to cut down on the apostrophes a little bit
As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.
Originally posted by wapcaplet I think you may want to cut down on the apostrophes a little bit
The sad truth that in my attempt at perfecting my writing style, i've gone completely overboard, making the reader sour and befuddled.
Quote:
As for critical stuff, definitely anything in /sbin or /usr/sbin is important. Configuration stuff is significant also, so anything in /etc and its subdirectories could be considered of critical importance.
I will take note of that, possibly see if i can make change's to my script to be aware of those directory's.
You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.
Originally posted by unSpawn You're not doing anything with checksumming. If anyone replaced a file and kept the MAC times intact, you wouldn' t notice it.
Any advise on a command of some sort?
Quote:
Another quote from unSpawn
You're also keeping the "databases" on the system while they should be copied/saved to "tamper resistant" read-only media.
You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.
Originally posted by stickman You may want to read the man page for touch to see why just checking the timestamps is a problems. Look at md5sum or some other similar tool to do get checksums.
Got it, someone could just use 'touch' to make the modification time prior to 5 day's. I found a command called 'cksum', that should do it.
I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...
Originally posted by Tarts I'm kinda upset i don't think i can run this as a 'crond' job if it's on read-only media...
Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.
Originally posted by stickman Generate your initial database of checksums and put it on a write-protected floppy or burn it to a CD. Use this static file as input to compare against to compare against. Of course, you'll need to recreate the static file as you do upgrades and patches.
How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.
Here is the "completed" script.:
Code:
#!/bin/bash
#Check modifications of files and changed directory's and checksums
##########################################################################
#to use, run~~~~'tree /sbin > /var/log/sbin.txt && tree /usr/sbin > /var/log/usrsbin.txt'
#and~~~~~~~~~~~ 'cksum /sbin/* > /var/log/sbinCK.txt && cksum /usr/sbin/* > /var/log/usrsbinCK.txt'
##########################################################################
#I suggest you make sure you system is secure *before* you use this script, it also a good idea
#to keep a copy of the file's made above in a safe place such as on a floppy/cdrw.`
#To make it into a 'crond' job and have it run in interval's, 'man crond'.
#I put the script in '/etc/cron.weekly' and it run's on monday at 4:30 am.
###########################################################################
MODTIME=/var/log/modfile.txt
SBIN=/sbin
USRSBIN=/usr/sbin
ETC=/etc
CKSUM=/usr/bin/cksum
GREP=/bin/grep
DIRCACHE=/var/log/sbin.txt
DIRCACHE1=/var/log/usrsbin.txt
CKSUMCACHE=/var/log/sbinCK.txt
CKSUMCACHE1=/var/log/usrsbinCK.txt
DIRTMP=/tmp.txt
DIRTMP1=/tmp1.txt
CKTMP=/tmp2.txt
CKTMP1=/tmp3.txt
WALL=/tmp4.txt
find / -mtime 7 -o -ctime 7 | find / -mtime 6 -o -ctime 6 | find / -mtime\
5 -o -ctime 5 | find / -mtime 4 -o -ctime 4 | find / -mtime 3 -o -ctime 3 | find / -mtime 2 -o -ctime 2\
| find / -mtime 1 -o -ctime 1 | find / -mtime 0 -o -ctime 0 > $MODTIME
tree $SBIN > $DIRTMP && tree $USRSBIN > $DIRTMP1
$CKSUM $SBIN/* > $CKTMP && $CKSUM $USRSBIN/* > $CKTMP1
if ( ! comm "$CKSUMCACHE" "$CKTMP" 1> /dev/null ); then
echo "$HOSTNAME: There has been an altered binary: Check '$SBIN'." > $WALL
else
echo "$HOSTNAME: There is no altered binary in '$SBIN'." > $WALL
fi
if ( ! comm "$CKSUMCACHE1" "$CKTMP1" 1> /dev/null ); then
echo "$HOSTNAME: There has been an altered binary: Check '$USRSBIN'." >> $WALL
else
echo "$HOSTNAME: There is no altered binary in '$USRSBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE" "$DIRTMP" 1> /dev/null ); then
echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$SBIN'." >> $WALL
else
echo "$HOSTNAME: There has been no change in critical system dir '$SBIN'." >> $WALL
fi
if ( ! cmp "$DIRCACHE1" "$DIRTMP1" 1> /dev/null ); then
echo "$HOSTNAME: There has been a modification in a critical system dir: Check '$USRSBIN'." >> $WALL
else
echo "$HOSTNAME: There has been no change in critical system dir '$USRSBIN'." >> $WALL
fi
if ( $GREP "$ETC" $MODTIME 1> /dev/null ); then
echo "$HOSTNAME: There has been a modification in a configuration file: Check '$ETC'." >> $WALL
else
echo "$HOSTNAME: There has been no change in the configuration files in '$ETC'." >> $WALL
fi
wall $WALL
rm $DIRTMP $DIRTMP1 $CKTMP $CKTMP1 $WALL
echo "$HOSTNAME: Check '$MODTIME'." | wall
exit 0
I think that cover's everything. My security strategy is the unexpected... In the grand scheme of thing's, who's expecting this?
Originally posted by Tarts How about i just have a copy on a read only media, then if ever i'm not sure, i have a backup.
The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.
Originally posted by stickman The only problem with that is then someone could modify the files, then modify your checksum fille to match and you would never know unless you compared it to the readonly copy.
Your right stickman, I'll do that.
[mildly offtopic]
does any one how I can get 'cksum' to print all the directory's under '/etc' recursively?
Or any idea's about how to implement this with out doing every directory separately...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
