Security - Using MD5deep To Verify Tree Integrity

Using MD5deep To Verify Tree Integrity

We talked a little about MD5deep in this article. One nice thing about MD5deep is that it can do recursion. This allows you to create a set of MD5 sums for an entire directory. /etc is a good one to use as an example. Let's create the set of MD5 sums:

root@srv-1 etc # md5deep -r * > etchashes
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # head etchashes
c02e852ee9abd1a44a09f08a1f4b4ba8  /etc/CORBA/servers/gnomecc.gnorba
6ad4de64bfecc2fd4aba1653d6f6b191  /etc/CORBA/servers/panel.gnorba
fb25aaa5c183eb5908a5251917410299  /etc/CORBA/servers/gnomexmms.gnorba
86080911bc4514d5788ad5a8a47d19e3  /etc/DIR_COLORS
a0ce0f1c8a5771a1194f5895211a3f66  /etc/X11/Sessions/Xsession
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.4
394b2e1b38f7de34837ef36c869706f6  /etc/X11/Sessions/blackbox
b10dbd1b6388f5fdf9feee0e56525ea5  /etc/X11/Sessions/Gnome
8d4f58fc5ac42867d7cfb4e82f8ff555  /etc/X11/Sessions/icewm
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.5a

Let's verify by using the -x option to show differences:

root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link

Well, /etc/etchashes shows up as being different, but that makes sense, since we created it. Let's test this by editing a file, running the test, changing it back, and running the test again:

root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
/etc/X11/Sessions/icewm
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc #

Nice! When we change icewm it shows up on the scan. When we change it back, it is not listed. Make sure you save the list of MD5 checksums on a floppy or some place not available to an intruder.

This article comes from NetAdminTools:
http://www.netadmintools.com/

The URL for this story is:
http://www.netadmintools.com/art362.html

Copyright 1997-2008 NetAdminTools.com. Read our Terms of Use.