Sponsored by BindView
  Razor Home Razor HomePapers & Advisories Papers & AdvisoriesRazor Tools Tools  

MD5 Scripting Tools

Simple Nomad
24Jan2000


If you have an md5 checksumming utility on your system, you can use these scripts for a "poor man's tripwire". These do several quick checks for archiving and security purposes. The files included are:

health - Does a generic snapshot of system
baseliner - Builds baseline for check_sys
check_sys - Checks for file modification
localapps - Local apps and files specific to this system
README - This file
mail_to - Email address to send reports to
To install:

0. Make sure you have an MD5 file checksum file compiled and installed
   on your computer first.
1. Type in "cd /usr/local"
2. Type in "tar zxvf md5-tool.tgz"
3. Type in "cd md5-tool"
4. Edit the mail_to file with the address of the recipient of the reports.
5. Edit the localapps file to contain the full path to additional apps and files you wish to have monitored for modification.
6. Edit health, check_sys, and baseliner so that the correct paths are set up, such as the path to md5.
7. Type in "/usr/local/md5-tool/baseliner" to build the new baseline.
8. Add the following two lines to root's crontab:

	58 23 * * * /usr/local/bin/md5/health > /dev/null 2>&1
	0 1 * * * /usr/local/bin/md5/check_sys > /dev/null 2>&1
What this does is build up a baseline and email the MD5 of the baseline to you each time a new baseline is built. Two baseline files are created, md5-baseline which has the list of md5 hashes built from the localapps file, and suid-baseline which has a list of all suid-root files on the system. The "health" script runs just before midnight and creates a generic report and emails it to you. You can simply archive those emails if you wish, although they should give you an idea of what is going on. The "check_sys" script runs at 1:00am, and checks files listed in the localapps file for modification. If a modification is found, an email alert is sent. By looking through your daily heath reports, you might possibly be able to determine what happened.

Is this fool-proof? Of course not. The paranoid admin will want to randomly run the baseliner script and check the md5 hashes of the baseline files against previous baselines for changes. While not perfect, it still has the potential to provide some protection from unwanted file modifications.



Contact: info@razor.bindview.com | Fax: 508-485-0737 | Bindview Home