Recognize methods for verifying the validity of files

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


Concept

Recognize the utility of file integrity utilities such as tripwire. Recognize the built-in checks provided on some of the BSDs.

Introduction

File integrity checkers, such as the Tripwire and AIDE packages, verify that a file's content and metadata (such as ownership and file permissions) has not changed. It can also be used to check directories and report if files are added or missing. A specification database defining attributes to check is built ahead of time and then periodically the tool is used to report about any changes.

The BSDs provide the mtree tool in their default installation which may be used for this. The following example shows how to create a specification file.

$ mtree -c -p /sbin -k size,time,flags,sha1digest,uid,gid,mode > sbin.mtree.spec

An example default entry and a directory entry and a single file entry follows:

/set type=file uid=0 gid=0 mode=0555 flags=none
.               type=dir mode=0755 time=1318599805.392862215
    mount_ffs   size=11215 time=1282753136.0 \
                sha1=f27d96860b30fc26f8b903508e5a9c6493367112

See your system's mtree(8) manual page for other keywords and more details.

A specification can be checked by running mtree against the pre-created specification, for example:

$ mtree -p /sbin < sbin.mtree.spec

It will report to standard output if files are missing or extra files are added, or if any of the attributes have changed. It will also show the original settings.

Some more details on verifying the validity of a file are covered in section Verify a file's message digest fingerprint (checksum).

TODO: mention that some mtree specifications are available on some BSDs for the released files

TODO: mention ways of checking against recorded package checksums (is that in another section?)

Examples

Practice Exercises

More information

mtree(8), security(7) or (8); security.conf(5); veriexecctl(8)

TODO: veriexecctl