Results 1 to 6 of 6

Thread: MD5 routine to reveal a compromize

  1. #1
    Join Date
    Mar 2007
    Beans
    776

    MD5 routine to reveal a compromize

    Here is an idea I had, but Iím sure someone else has already thought of it before. There probably already is such a script/program, although my limited googling hasnít uncovered it.

    Suppose there was a script that did an md5 recursively on all files in certain directories like /etc /bin /sbin /usr (etc. any directory which limited users donít have access and do not change) and wrote those sums to a file. Then that file could then be stored external to the system or wrote to CD. Of course, every time the system administrator installs or updates programs this script would need to be run. But, if someone suspected a compromise then one could run a second script which re md5s all the files, but instead of writing to the file it compares the results of the files and report back which files donít match. If a compromise was to have happened the system administrator would know what files were modified.

    A particularly skilled script writer could set it up all automated via cron and sshkeys. Cron executes the file write script at midnight the last line of that script writes the md5 file to another storage server using sshkeys. At about 2am that other storage server sends yesterdayís md5 file back to the first server who runs the second comparor script and the last line of that script sendmails the system admin the results including which files got changed.

    What is your opinion of such a technique?
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  2. #2
    Join Date
    Jan 2014
    Location
    Earth, and you?
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: MD5 routine to reveal a compromize

    Sounds like Tripwire

  3. #3
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: MD5 routine to reveal a compromize

    Even better: Samhain for 0) checking integrity actively (in contrast with AIDE or tripwire), 1) checking efficiently using inotify, 2) allowing signed config and databases and 3) adhering to the client - server paradigm (see Yule). http://www.la-samhna.de/samhain/

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: MD5 routine to reveal a compromize

    I just use csf, which has an integrity check builtin. If a file's hash has changed, I get an email about it.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Mar 2007
    Beans
    776

    Re: MD5 routine to reveal a compromize

    csf?
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: MD5 routine to reveal a compromize

    Quote Originally Posted by ant2ne View Post
    csf?
    This thing:
    http://www.configserver.com/cp/csf.html
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •