Released on 11/20/2001. Changes: added sample "plug-ins" script to monitor open connections, kernel modules and so on. No changes to the main script.
The README file in the distribution contains complete documentation. Below is an extract from README of md5mon 1.0 so it may be partially obsolete or incomplete -- but it is still relevant for basic usage.
Features
There are two main actions: create the checksum lists and verify the checksums. There is also a "packaging" action and a "reconcile" action.
Files are selected by directories and optionally filtered through exclusion lists to prevent scanning of inessential files.
Lists of directories to be monitored are configurable to several "levels" so that the user might put a few of the most important files at one level and a larger number of less crucial files at another level.
The script will report all discrepancies found in checksums to a log file, so it is suitable for cron jobs. One could use the "-q" or "--quiet" option to prevent printing of messages unless mismatches are found.
The "packaging" action can be used to archive all current checksums together with the script and with copies of the "find" and "md5sum" binaries for secure storage on external media. After packaging all your levels securely you can be sure that you will definitely be able to detect any changes to the monitored files.
The script maintains its own integrity checksum in a small file which may be optinally stored on a read-only floppy media or on a remote computer and read at each checkup (the command to get this file must be specified within the script).
Installation
Unpack the distribution into a directory such as /usr/local/md5mon or any other directory. The necessary files include: md5mon and several dirs_X" and exclude_X files, where X is a number (0, 1, ...) The script will create or update all files in the same directory where "md5mon" resides. You may choose the directory at an inconspicuous location, for example /etc/X11/app-defaults/xyterm/, you can make this directory and all files inside it readable only to root and rename "md5mon" to something else, if you feel that it helps improve security. Ancillary file names are also easily configurable by editing the script.
Usage
First, edit the supplied sample files "dirs_0" and "exclude_0" to select the files monitored at level 0. (The supplied files are perhaps sufficient for basic auditing purposes.) Note that all files in all subdirectories of the directories listed in "dirs_X" will be monitored, so including "/usr" may lead to including a huge number of files and the operations may take a very long time, since all files will have to be read during any auditing action.
For example, the file "dirs_0" could contain a single line listing the common system binary directories, such as
/bin /boot /etc /sbin /usr/bin /usr/local/bin /usr/X11/bin /usr/sbinand the file "exclude_0" might contain
/etc/mtab .*~$which will exclude the frequently changed file "/etc/mtab" as well as any files ending with a "~" from the file list. (Note that exclusion lists may contain several lines with a grep's regular expression on each line, while the directory lists contain just plain directory names.)
After editing the files "dirs_0" and optionally "exclude_0" (if no "exclude_X" file is present, then all files are included) you can run "md5mon -u 0" or "md5mon --update 0" to create the checksum file. You can run it from any directory as long as you specify the complete path (e.g. /opt/md5mon-1.0/md5mon -u 0). You should execute the update action only when you are sure that the files you choose to monitor are pristine and authentic, for example, if you just finished compiling and installing them. The update action will create the file "sums_0" containing all checksums of the monitored files.
You may create any number of "levels" and run checks on them separately. For this you need to create the files "dirs_X" and optionally "exclude_X" where X will be the number of the level, and run "md5mon -u X" to create the checksum list.
It may make sense to store the checksums away from the computer. To make it easier there is a "package" action. It creates a file such as md5mon-1.*-YYMMDDHHMM.tar.gz which includes all of your file lists and checksum lists as well as good copies of system utilities "find" and "md5sum" (i.e. exact copies of the utilities that were originally used for checksum computation). Package your level X using "md5mon -p X" and store the resulting file (md5mon-*.tar.gz) in a secure place.
An even more secure option is to store md5mon's own checksum file (sums.md5mon) on a read-only media such as a write-protected floppy disk or on a remote computer to which you have password-free access, or a trusted Web site and so on. Then md5mon will first read its checksum file from this "trusted source" each time you run it and verify that neither the script itself nor any of the chechsum files have been tampered with. To do this, you will need to edit the top part of script before first use and insert the necessary commands. Some examples are given as comments and you may uncomment and edit them. It is important to make sure that if the "trusted source" is unavailable, the checksum file remains untouched. The script will stop with an error message if its checksum fails.
Note that any changes to the script or to any of its configuration files after the first update will trigger this integrity check failure. In that case you will have to run "update" again and while doing this you again must be sure that files on your computer have not been compromised.
Quick command reference
At the moment three actions are supported: check, package, and update.
To get quick help:
To check that the files listed at levels 0, 2 and 5 are unmodified:
To check the files at level 0 but print no messages unless differences are found:
To create or update the checksum lists at levels 4 and 1:
To package all information relevant to levels 0, 1, 4, and 5:
To use a somewhat more secure SHA checksum program "shasum" instead of "md5sum":
Version 1.0: initial release, actions "-c", "-u", "-p". Added "-a" action.
Version 1.1: changed -u action to avoid very long argument lists for $hash; added -e action.
Version 1.2: copying executables also from trusted source; creating a list of changed files and calling an external shell script "complain" if any errors are found.
Version 1.3: added lists for individual files; made "-a" add separate files to lists for monitoring; improved documentation; separate and improved "trustedsource" script for integrity check, removed "updatefloppy" script; automatically updates trusted source on changes.
Version 1.3a: quick bugfix: did not update sums correctly in some cases
