[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
yet another use for MD5
After examining Tripwire and deciding that it was *way* overkill for my own
purposes, I decided to cobble together my own minimalist solution to the unix
file integrity problem. I call it "L5", for a variety of reasons, and have
decided to present it to the community as a Useful Hack. For all I know it
may have already been done elsewhere, but I haven't yet seen such a thing
mentioned, despite the simple underlying concept.
L5 can be FTPed from asylum.sf.ca.us:/pub/hobbit/L5.tar.Z.
L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or "find"
would, generating listings of anything it finds there. It tells you everything
it can about a file's status, and adds on an MD5 hash of it. Its output is
rather "numeric", but it is a very simple format and is designed to be
post-treated by scripts that call L5. Here are some of its other features:
Filenames come first, making sorting easier.
Filenames are delimited in a non-[unix]-spoofable way; ending in
"//". The single character after "//" indicates the file type.
Scanning stops at device boundaries, so L5 doesn't go slogging
through random NFS trees or "tmpfs"es unless you tell it to.
You can tell it not to walk any directories lower than the
one[s] you handed it as arguments. [It always walks one level
of its given arguments.]
You can tell it to only print the filenames.
If a file looks like a script of some kind, it is shown as type
"K" instead of "F". Useful for finding those setuid shell scripts...
MD5 hashing can be output in hex, Tripwire's radix64 format, or
not at all, as you specify. The hex hash for a given file is the
same as that of the CERT "md5check".
You can feed it a list of files or directories to check as its
standard input.
You can have it do its hash *on* standard input. This feature is
useful for doing things like "l5 /critical/files | l5" to get a
small but secure summary hash.
It is small and reasonably fast.
Some of it is based on code from Tripwire, but it doesn't use a DBM database
and only offers one hash option. The MD5 code, in particular, is the
endian-independent version from Tripwire, which builds almost anywhere.
Selection of files to ignore certain changes in is undoubtedly less versatile,
but you can always filter the output through further scripts before, for
example, diffing your "old" system snapshot against your "new" system
snapshot.
[The rest of this file is in the README that comes with L5.]
_H*