Recognize methods for verifying the validity of files
Recognize the utility of file integrity utilities such as tripwire. Recognize the built-in checks provided on some of the BSDs.
File integrity checkers, such as the Tripwire and AIDE packages, verify that a file's content and metadata (such as ownership and file permissions) has not changed. It can also be used to check directories and report if files are added or missing. A specification database defining attributes to check is built ahead of time and then periodically the tool is used to report about any changes.
The BSDs provide the
mtree tool in their default installation which may be used for this. The following example shows how to create a specification file.
$ mtree -c -p /sbin -k size,time,flags,sha1digest,uid,gid,mode > sbin.mtree.spec
An example default entry and a directory entry and a single file entry follows:
/set type=file uid=0 gid=0 mode=0555 flags=none . type=dir mode=0755 time=1318599805.392862215 mount_ffs size=11215 time=1282753136.0 \ sha1=f27d96860b30fc26f8b903508e5a9c6493367112
See your system's mtree(8) manual page for other keywords and more details.
A specification can be checked by running mtree against the pre-created specification, for example:
$ mtree -p /sbin < sbin.mtree.spec
It will report to standard output if files are missing or extra files are added, or if any of the attributes have changed. It will also show the original settings.
Some more details on verifying the validity of a file are covered in section Verify a file's message digest fingerprint (checksum).
TODO: mention that some mtree specifications are available on some BSDs for the released files
TODO: mention ways of checking against recorded package checksums (is that in another section?)
mtree(8), security(7) or (8); security.conf(5); veriexecctl(8)