Very Computer

        Now that I've started to learn Perl, I'm trying to write a
number of scripts that help me do systems administration.  Yes, I
know, dozens of people have done this before, but it's always fun to
do it yourself.

        One of the things I'd like to do is check to see if any of a
set of binaries have been modified since the last time I ran the
check.  Perl will allow me to verify that the file size is the same as
the last time I ran the script, and it will also let me look at the
last modified date.  The question is: which is safer to monitor?  If I
were a cracker, and I wanted to modify a binary so that it would make
the system work for me, I *think* it would be easy to make the patch
so that the executable was the same size as the original.  Is there
any way the presumed intruder (or even a user on the system) can
change the last modified date for a file?

        In case anyone cares, this is a Linux box using the ext2 file
system.

--
Lee Silverman, Brown class of '94, Brown GeoPhysics ScM '95


"Nonsense - you only say it's impossible because nobody's ever done it."

Quote:>    One of the things I'd like to do is check to see if any of a
>set of binaries have been modified since the last time I ran the
>check.

Quote:> Perl will allow me to verify that the file size is the same as
>the last time I ran the script, and it will also let me look at the
>last modified date.  The question is: which is safer to monitor?

A much better way is to calculate a checksum or hash of the data within
the file. The easiest way to do this is simply to exec the "sum" command
within perl.  For even more security, you can calculate the MD5 sum (check
any decent crypto book for the algorithm).  There is no way for a
cracker to modify the file without changing the checksum.

You should also take a look at tripwire. It does exactly what you are
looking for.

--
Bruce

        Thanks to everyone who suggested different techniques for
setermining whether or not binaries on my machine have been modified.

        It seems that the consensus is that file sizes and last
modification dates are both hackable, and are not something I should
bother checking to see if the binaries have been altered.  A better
solution would be to use MD4 or MD5 checksums on the binaries, and
also on all the dymanically loadable library files.  That way, *any*
change will be noticed and can be reported.  Also, it seems to be a
prudent idea to physically print out a copy of the checksums and
compare two printouts every so often, based on the assumption that
anyone who can modify your binaries or libraries will also check to
see if you check for that sort of thing, and modify your checksum
database.

Thanks for the help everyone!

--
Lee Silverman, Brown class of '94, Brown GeoPhysics ScM '95


"Nonsense - you only say it's impossible because nobody's ever done it."

Quote:>    One of the things I'd like to do is check to see if any of a
>set of binaries have been modified since the last time I ran the
>check.  Perl will allow me to verify that the file size is the same as
>the last time I ran the script, and it will also let me look at the
>last modified date.  The question is: which is safer to monitor?

--
Tilman Schmidt                              Phone:  +49 221 8299 275
Sema Group Deutschland GmbH                 Fax:    +49 221 8299 266

To ease your sysadmin burden, I would modify 'touch' so that it can not set
the date back on a file, with something like a C front-end.   Only some
versions of touch can set the date backwards,
unfortunately Linux versions do.  Also the 'date' command should be
protected from common users by the same logic.

I would do the checksums too, of course.

--

Public Access UNIX and Internet at (503) 220-1016 (2400-14400, N81)

Quote:>Also the 'date' command should be
>protected from common users by the same logic.

--

681 Park Street, Brunswick, Vic. 3056, Australia

No.

Quote:>  Also the 'date' command should be
>protected from common users by the same logic.

--
Tilman Schmidt                              Phone:  +49 221 8299 275
Sema Group Deutschland GmbH                 Fax:    +49 221 8299 266