This was a class assignment in shell scripting — to implement the function of tripwire using the find command as part of it. Tripwire is a program that builds a database of pathnames and checksums in an attempt to discover changes to a system, by comparing the results of a new run against the results of an original run.
The script itself: http://aimee.pastebin.com/fn4p0SBn
And its conf file: http://aimee.pastebin.com/J6bJX6qD
Nothing too special here. Directories to search and location of log files to are specified in the conf file. Interesting parts of the script are the
find $dir -type f >> $logdir/savedstate.txt
which walks through the directory $dir and writes the pathnames of every file to savedstate.txt and the
find $dir -type f -print0 | xargs -0 md5sum >> $logdir/savedstatemd5.txt
which walks through the directory $dir and calculates the md5sum of every file, writing it to savedstatemd5.txt. These files are effectively the current state of the specified search directories. Then there’s a couple of comm commands to compare the current state to the original state and output any deleted or added files. Modified files are dealt with like so
md5sum -c $logdir/savedstatemd5.txt.bak 2>&1 | grep -v ‘OK$’ &> $logdir/md5changes.txt
which basically runs an md5sum check on every file listed in the savedstatemd5 of the original run, and greps out those files that fail the check. At the end of the run, “current” state becomes “previous” state in preparation for the next run.
Ideally, this is run in –init mode when the system is first set up, before it’s connected to the network. Then it’s run in –scan mode very regularly to catch anything nefarious that is happening.
a particular silence 