Recipe 1.17 Integrity Checking Manually

1.17.1 Problem

You can't use Tripwire for administrative or political reasons, but you want to snapshot your files for later comparison. You don't have enough disk space to mirror your files.

1.17.2 Solution

Run a script like the following that stores pertinent information about each file of interest, such as checksum, inode number, and timestamp:

for file
    date=`/usr/bin/stat "$file" | /bin/grep '^Modify:' | /usr/bin/cut -f2- -d' '`
    sum=`/usr/bin/md5sum "$file" | /usr/bin/awk '{print $1}'`
    inode=`/bin/ls -id "$file" | /usr/bin/awk '{print $1}'`
    /bin/echo -e "$file\t$inode\t$sum\t$date"

Store this script as /usr/local/bin/idfile (for example). Use find to run this script on your important files, creating a snapshot. Store it on read-only media. Periodically create a new snapshot and compare the two with diff.

This is not a production-quality integrity checker. It doesn't track file ownership or permissions. It checks only ordinary files, not directories, device special files, or symbolic links. Its tools (md5sum, stat, etc.) are not protected against tampering.

1.17.3 Discussion

  1. Run the idfile script to create a snapshot file:

    # find /dir -xdev -type f -print0 | \ 
      xargs -0 -r /usr/local/bin/idfile > /tmp/my_snapshot

    This creates a snapshot file, basically a poor man's Tripwire database.

    /bin/arch   2222   7ba4330c353be9dd527e7eb46d27f923   Wed Aug 30 17:54:25 2000
    /bin/ash    2194   cef0493419ea32a7e26eceff8e5dfa90   Wed Aug 30 17:40:11 2000
    /bin/awk    2171   b5915e362f1a33b7ede6d7965a4611e4   Sat Feb 23 23:37:18 2002

    Note that idfile will process /tmp/my_snapshot itself, which will almost certainly differ next time you snapshot. You can use grep -v to eliminate the /tmp/my_snapshot line from the output.

    Be aware of the important options and limitations of find. [Recipe 9.8]

  2. In preparation for running the idfile script later from CD-ROM, modify idfile so all commands are relative to /mnt/cdrom/bin:

    for file
        date=`$BIN/stat "$file" | $BIN/grep '^Modify:' | $BIN/cut -f2- -d' '`
        md5sum=`$BIN/sum "$file" | $BIN/awk '{print $1}'`
        inode=`$BIN/ls -id "$file" | $BIN/awk '{print $1}'`
        $BIN/echo -e "$file\t$inode\t$sum\t$date"
  3. Burn a CD-ROM with the following contents:






    awk, cut, echo, diff, find, grep, ls, mdsum, sh, stat, xargs, idfile

  4. Mount the CD-ROM at /mnt/cdrom.

  5. As needed, rerun the find and do a diff, using the binaries on the CD-ROM:

    $BIN/find /dir -xdev -type f -print0 | \
      xargs -0 -r $BIN/idfile > /tmp/my_snapshot2
    $BIN/diff /tmp/my_snapshot2 /mnt/cdrom/my_snapshot

This approach is not production-quality; it has some major weaknesses:

  • Creating the snapshot can be very slow, and creating new snapshots frequently may be cumbersome.

  • It doesn't check some important attributes of a file, such as ownership and permissions. Tailor the idfile script to your needs.

  • It checks only ordinary files, not directories, device special files, or symbolic links.

  • By running ls, md5sum, and the other programs in sequence, you leave room for race conditions during the generation of the snapshot. A file could change between the invocations of two of these tools.

  • If any of the executables are dynamically linked against libraries on the system, and these libraries are compromised, the binaries on the CD-ROM can theoretically be made to operate incorrectly.

  • If the mount point /mnt/cdrom is compromised, your CD-ROM can be spoofed.

1.17.4 See Also

find(1), diff(1). Use a real integrity checker if possible. If you can't use Tripwire, consider Aide ( or Samhain (

    Chapter 9. Testing and Monitoring