rootninja

Setup a simple tripwire on files and directories where you know things should not change, and when things go a-muck, have confidence in knowing exactly which files have been compromised. By tripwire, I mean http://dictionary.reference.com/browse/tripwire“>the first definition of the word, not a very specific software product. (I like the 3rd definition the best, but how you use that information is up to you)

I know there are many tools out there that perform this task with all kinds of fancy pants features, but I like this because it’s completely unobtrusive and good for a quick spot check. I think it’s good to know how to do simple stuff like this without having to rely on complicated code.

Here is a directory where I checked out some code, and I don’t want this to get updated or changed in any way at all. I like it exactly like it is, and if someone messed with it, i’d like to know what’s changed. For this example, I use a fsvs repository so I can see the history and roll back to exactly the right version, but lets just say you want a one shot deal for a bunch of files… here goes.

root@srv /var/www/LdapAuth# ls -l

total 72
-rw-r--r-- 1 root root 58160 2009-03-12 05:39 LdapAuthentication.php
-rw-r--r-- 1 root root  3825 2009-03-12 05:39 LdapAutoAuthentication.php
-rw-r--r-- 1 root root   256 2009-03-12 05:39 README

root@srv /var/www/LdapAuth# time find ./ -type f -print0 | xargs -0 md5sum > /root/ldapauth.md5

real    0m0.125s
user    0m0.094s
sys     0m0.030s

root@srv /var/www/LdapAuth# cat /root/ldapauth_checksums.md5

3996520b75541271e9c3d2234621cc87  ./LdapAuthentication.php
74b2a36abdd50ca2e446048949e3d9f1  ./.svn/text-base/README.svn-base
2105f8aee5f4345855b8894cee3f8435  ./.svn/text-base/LdapAutoAuthentication.php.svn-base
3996520b75541271e9c3d2234621cc87  ./.svn/text-base/LdapAuthentication.php.svn-base
7c5aba41f53293b712fd86d08ed5b36e  ./.svn/format
5f84cf8d8de2abf52787d5ff0b40c754  ./.svn/all-wcprops
25e6c2f7558b7484000d4d090dea5b92  ./.svn/prop-base/README.svn-base
25e6c2f7558b7484000d4d090dea5b92  ./.svn/prop-base/LdapAutoAuthentication.php.svn-base
25e6c2f7558b7484000d4d090dea5b92  ./.svn/prop-base/LdapAuthentication.php.svn-base
dfee5e1040cbe6426f37a007a2a42f43  ./.svn/entries
2105f8aee5f4345855b8894cee3f8435  ./LdapAutoAuthentication.php
74b2a36abdd50ca2e446048949e3d9f1  ./README

Now I would move the md5 checksum files to some external storage or a remote machine. They’re just ascii so they shouldn’t take up much space at all and they will compress really well. (10:1?) If something comes up in the future and I think this has changed in any way, I can run another batch of md5sums and meld the results. (yum info meld, good utility)

You could probably do md5sums starting at / on a whole gang of machines and still fit all the files on one of those tiny flash drives you have laying around collecting dust.