Security - Using MD5deep To Verify Tree Integrity

SignalQ Sites:
NetAdminTools - Coprolite - NoNIC - SpotBridge - NAW
RoboCoop - AreWeDown - SolarPower - SysAdminTools
Xfig - Gold Loaf - GeekPapa - FixGMC - MCJ - FixRambler

Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·REALbasic
·All Categories

Using MD5deep To Verify Tree Integrity
Topic: Security Posted:2004-08-06
Printer Friendly:

We talked a little about MD5deep in this article. One nice thing about MD5deep is that it can do recursion. This allows you to create a set of MD5 sums for an entire directory. /etc is a good one to use as an example. Let's create the set of MD5 sums:

root@srv-1 etc # md5deep -r * > etchashes
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # head etchashes
c02e852ee9abd1a44a09f08a1f4b4ba8  /etc/CORBA/servers/gnomecc.gnorba
6ad4de64bfecc2fd4aba1653d6f6b191  /etc/CORBA/servers/panel.gnorba
fb25aaa5c183eb5908a5251917410299  /etc/CORBA/servers/gnomexmms.gnorba
86080911bc4514d5788ad5a8a47d19e3  /etc/DIR_COLORS
a0ce0f1c8a5771a1194f5895211a3f66  /etc/X11/Sessions/Xsession
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.4
394b2e1b38f7de34837ef36c869706f6  /etc/X11/Sessions/blackbox
b10dbd1b6388f5fdf9feee0e56525ea5  /etc/X11/Sessions/Gnome
8d4f58fc5ac42867d7cfb4e82f8ff555  /etc/X11/Sessions/icewm
effac7a41dd635d5aadb3f0a4e43320a  /etc/X11/Sessions/kde-3.0.5a

Let's verify by using the -x option to show differences:

root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link

Well, /etc/etchashes shows up as being different, but that makes sense, since we created it. Let's test this by editing a file, running the test, changing it back, and running the test again:

root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
/etc/X11/Sessions/icewm
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc # vi /etc/X11/Sessions/icewm
root@srv-1 etc # md5deep -x etchashes -r *
md5deep: /etc/X11/xkb: Is a symbolic link
md5deep: /etc/X11/xdm/authdir: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x: Is a symbolic link
md5deep: /etc/X11/rstart/commands/x11: Is a symbolic link
md5deep: /etc/X11/gdm/Sessions: Is a symbolic link
md5deep: /etc/apache2/modules: Is a symbolic link
md5deep: /etc/apache2/lib: Is a symbolic link
md5deep: /etc/apache2/extramodules: Is a symbolic link
md5deep: /etc/apache2/logs: Is a symbolic link
md5deep: /etc/bind/pri: Is a symbolic link
md5deep: /etc/bind/sec: Is a symbolic link
/etc/etchashes
md5deep: make.profile: Is a symbolic link
md5deep: /etc/php/apache2-php4/lib: Is a symbolic link
md5deep: /etc/runlevels/default/fcron: Is a symbolic link
root@srv-1 etc #

Nice! When we change icewm it shows up on the scan. When we change it back, it is not listed. Make sure you save the list of MD5 checksums on a floppy or some place not available to an intruder.

Please read our Terms of Use
Microsoft, Windows, Windows XP, Windows 2003, Windows 2000, and NT are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2008 NetAdminTools.com

Created by:

MCJ CMS