Wednesday, August 19, 2009

File integrity

What happens if someone hack into our system and modify the binaries. At first they look the same and behave normally but underneath they can do some bad things. The simple way to control things is to create md5 hashes of every binary after system installation and keep it safe somewhere on CD or other external drive. Let's do checksums file (as root):

# find / -type f -perm /111 -print | xargs md5sum > checksums

We find all executable files and then create md5 hashes for them in the checksums file. Now if we're suspect any problems we can always compare the hashes in the system with the hashes in the checksums file, manually:

# md5sum /bin/ls
a7d0f168866236756bafed5357e7e039 /bin/ls
# grep /bin/ls checksums
a7d0f168866236756bafed5357e7e039 /bin/ls

or with this script:

if [ "$(grep "${1}" checksums| cut -f1 -d' ')" == "$(md5sum "${1}" | cut -f1 -d ' ')" ]; then echo "OK
"; else echo "FAILED"; fi

Run this way:

$ ./ /bin/ls

No comments:

Post a Comment