These changes may be deliberate, part of normal host operation, the
result of an errant 'chmod', etc. Tools like Samhain, AIDE, and Tripwire
(note 0) have been devised specifically to identify such changes which
they do well. The only problem is that these tools need to be installed
and configured. Though by no means a full substitute for any of the tools
above, in both Solaris and Linux, we can refer to their respective package
databases for simple file integrity checks and attribute restoration.
Our host details are:
HOSTS: sunspot, cobblepot PROMPT: host [0] OSes: Solaris 10, CentOS 5.5 PACKAGE: op (privately compiled and packaged installation of op-1.32) NOTES: The details that follow should be relevant on previous OS versions as the respective package systems are relatively mature and stable.Before continuing, it should be noted that the following is only relevant
to files installed by a package registered by the packaging system in use.
The following will be of no use for files otherwise created. Also,
Solaris is used for the main discussion, followed by a sampling in Linux.
Solaris:
Diving right in, let's have a look at the what the package (pkg) system
has to say about '/usr/local/man/man1/op.1' (see note 1):
sunspot [0] /usr/sbin/pkgchk -l -p /usr/local/man/man1/op.1 Pathname: /usr/local/man/man1/op.1 Type: regular file Expected mode: 0644 Expected owner: root Expected group: other Expected file size (bytes): 10339 Expected sum(1) of contents: 51920 Expected last modification: Jan 08 10:56:03 AM 2008 Referenced by the following packages: SOCop Current status: installedThe expected mode for this file is "0644" as detailed above. Next,
we'll change it to "0755" and have 'pkgchk' audit the file's attributes
(for 'pkgchk' flags used, see note 2):
sunspot [0] /bin/chmod 0755 /usr/local/man/man1/op.1 sunspot [0] /usr/sbin/pkgchk -ap /usr/local/man/man1/op.1 ERROR: /usr/local/man/man1/op.1 permissions <0644> expected <0755> actualAfter updating the mode (permissions) of 'op.1', our subsequent 'pkgchk'
successfully identified the disparity and alerts us to it. Illustrated
below, we have 'pkgchk' audit the full package (SOCop) to which 'op.1'
belongs and verify with 'ls':
sunspot [1] /usr/sbin/pkgchk -a SOCop ERROR: /usr/local/man/man1/op.1 permissions <0644> expected <0755> actual sunspot [1] /bin/ls -ld /usr/local/man/man1/op.1 -rwxr-xr-x 1 root other 10339 Jan 8 2008 /usr/local/man/man1/op.1To restore the appropriate mode of 'op.1' we could reference the expected
mode from the output above and supply it to 'chmod'. Even easier would
be to allow 'pkgchk' to fix it for us:
sunspot [0] /usr/sbin/pkgchk -fp /usr/local/man/man1/op.1 sunspot [0] /bin/ls -ld /usr/local/man/man1/op.1 -rw-r--r-- 1 root other 10339 Jan 8 2008 /usr/local/man/man1/op.1After running 'pkgchk', we verify with 'ls' and see that the mode has
been restored. Just as we can audit a full package, we can also restore
file attributes to full packages. The following example picks up after
setting the permissions of 'op.1' to "0755".
sunspot [0] /usr/sbin/pkgchk -f SOCop ERROR: /usr/local/etc/op.conf file size <512> expected <640> actual file cksum <42802> expected <53200> actual sunspot [1] /bin/ls -ld /usr/local/man/man1/op.1 -rw-r--r-- 1 root other 10339 Jan 8 2008 /usr/local/man/man1/op.1Of note, we get an error on the file size and checksum for 'op.conf',
another file in the 'SOCop' pkg. This is because the contents of
'op.conf' have been updated. While 'pkgchk -f' has alerted us to this,
the '-f' flag only corrects a file's attributes not including size or
checksum (see note 3). As a result 'op.conf' was left alone. For a
final example, the following updates user:group ownership and the mode of
'op.1', then runs through an audit and repair of those attributes:
sunspot [0] /bin/chown bin:bin /usr/local/man/man1/op.1 sunspot [0] /bin/chmod 0755 /usr/local/man/man1/op.1 sunspot [0] /usr/sbin/pkgchk -a SOCop ERROR: /usr/local/man/man1/op.1 permissions <0644> expected <0755> actual group name <other> expected <bin> actual owner name <root> expected <bin> actual sunspot [0] /bin/ls -ld /usr/local/man/man1/op.1 -rwxr-xr-x 1 bin bin 10339 Jan 8 2008 /usr/local/man/man1/op.1 sunspot [0] /usr/sbin/pkgchk -fp /usr/local/man/man1/op.1 sunspot [0] /bin/ls -ld /usr/local/man/man1/op.1 -rw-r--r-- 1 root other 10339 Jan 8 2008 /usr/local/man/man1/op.1Linux:
Identifying 'op-1.32/README' pkg and attributes (for 'rpm' dump format,
see note 4):
cobblepot [0] /bin/rpm -qf /usr/local/share/doc/op-1.32/README op-1.32-1 cobblepot [0] /bin/rpm -q --dump op-1.32 | /bin/grep 'op-1.32/README' /usr/local/share/doc/op-1.32/README 4551 1208465130 c8f9993fe17411a5ff1f1381d27a9c7d 0100644 root root 0 0 0 XVerifying the mode (0100644) of 'README' with 'ls':
cobblepot [0] /bin/ls -ld /usr/local/share/doc/op-1.32/README -rw-r--r-- 1 root root 4551 Apr 17 2008 /usr/local/share/doc/op-1.32/READMEModifying 'README' mode via 'chmod'; verifying the change with 'ls'
and disparity with 'rpm -V' (for 'rpm' options used, see note 5):
cobblepot [0] /bin/chmod 0444 /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/ls -ld /usr/local/share/doc/op-1.32/README -r--r--r-- 1 root root 4551 Apr 17 2008 /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/rpm -Vf /usr/local/share/doc/op-1.32/README S.5....T /usr/local/etc/op.conf .M...... /usr/local/share/doc/op-1.32/READMENote, 'rpm' verify and set commands operate on all files in a package, not
just a specified file. This is the reason the output above details both
'op.conf' and 'README'. The output for 'op.conf' indicates a difference
between the rpm database and the file for size, MD5 checksum, and mtime.
For 'README', the difference is only mode (see note 6). The following
updates the mode (permissions) to all files in pkg 'op-1.32-1' and
verifies the update with 'rpm' and 'ls':
cobblepot [1] /bin/rpm --setperms op-1.32-1 cobblepot [0] /bin/rpm -Vf /usr/local/share/doc/op-1.32/README S.5....T /usr/local/etc/op.conf cobblepot [0] /bin/ls -ld /usr/local/share/doc/op-1.32/README -rw-r--r-- 1 root root 4551 Apr 17 2008 /usr/local/share/doc/op-1.32/READMEAlternatively, one can update a pkg's files by identifying a file
from the intended pkg:
cobblepot [0] /bin/rpm --setperms -f /usr/local/share/doc/op-1.32/READMEAnother example, modifying mode and ownership of 'README':
cobblepot [0] /bin/chmod 0444 /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/chown bin:bin /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/ls -ld /usr/local/share/doc/op-1.32/README -r--r--r-- 1 bin bin 4551 Apr 17 2008 /usr/local/share/doc/op-1.32/READMEVerifying the difference via selected file or pkg:
cobblepot [0] /bin/rpm -Vf /usr/local/share/doc/op-1.32/README S.5....T /usr/local/etc/op.conf .M...UG. /usr/local/share/doc/op-1.32/README cobblepot [1] /bin/rpm -V op-1.32-1 S.5....T /usr/local/etc/op.conf .M...UG. /usr/local/share/doc/op-1.32/READMEUsing 'setperms' and setugids' to reset the mode and ownership,
respectively, then verify:
cobblepot [1] /bin/rpm --setperms -f /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/rpm --setugids -f /usr/local/share/doc/op-1.32/README cobblepot [0] /bin/rpm -Vf /usr/local/share/doc/op-1.32/README .M...... /usr/local/bin/op S.5....T /usr/local/etc/op.conf cobblepot [1] /bin/ls -ld /usr/local/share/doc/op-1.32/README -rw-r--r-- 1 root root 4551 Apr 17 2008 /usr/local/share/doc/op-1.32/READMEAfter resetting the mode of the 'op-1.32-1' files, 'rpm' alerts us that
the mode for 'op' has changed. Unfortunately, rather than updating
only those files which differ, 'rpm' applies the attributes found within
the pkg database for each respective file. Equally unfortunate, 'rpm'
doesn't address suid, sgid, or sticky bits when setting the mode so we
have to reapply the suid bit to 'op' (see note 3):
cobblepot [1] /bin/ls -ld /usr/local/bin/op -rwxr-xr-x 1 root root 159098 Apr 17 2008 /usr/local/bin/op* cobblepot [0] /bin/chmod u+s /usr/local/bin/op cobblepot [0] /bin/rpm -Vf /usr/local/share/doc/op-1.32/README S.5....T /usr/local/etc/op.conf
NOTES
Note 0: File Integrity Tools:
Samhain (http://la-samhna.de/samhain/index.html) opensource AIDE (http://aide.sourceforge.net/) opensource Tripwire (http://sourceforge.net/apps/wordpress/tripwire/) opensource (http://www.tripwire.com/) commercialNote 1: Solaris stores its package database in readable flat files.
The following is sample output from a package's stored 'pkgmap'
file and the global pkg database file (contents):
'pkgmap': - format is 'type class path mode owner group [size(bytes) sum(1) timestamp(epoch)]' sunspot [0] /bin/cat /var/sadm/pkg/SOCop/save/pspool/SOCop/pkgmap : 1 410 1 d none bin 0755 root other 1 f none bin/op 4755 root root 132576 4780 1199807701 1 d none etc 0755 bin bin 1 f none etc/op.conf 0600 root root 512 42802 1199808350 1 d none man 0755 root other 1 d none man/man1 0755 root other 1 f none man/man1/op.1 0644 root other 10339 51920 1199807763 1 i pkginfo 406 35258 1199808730 1 d none share 0755 bin bin 1 d none share/doc 0755 bin bin 1 d none share/doc/op-1.32 0755 root other 1 f none share/doc/op-1.32/AUTHORS 0644 root other 126 10963 1199807791 1 f none share/doc/op-1.32/COPYING 0644 root other 1192 27717 1199807791 1 f none share/doc/op-1.32/ChangeLog 0644 root other 7553 56702 1199807791 1 f none share/doc/op-1.32/README 0644 root other 4551 1459 1199807791 1 f none share/doc/op-1.32/op.conf 0644 root other 366 30654 1199807791 1 f none share/doc/op-1.32/op.conf.complex 0644 root other 2656 27735 1199807791 1 f none share/doc/op-1.32/op.pam 0644 root other 67 5744 1199807791 1 f none share/doc/op-1.32/op.paper 0644 root other 14827 4222 1199807791 'contents': - format is 'path type class mode owner group pkg [pkg pkg ...]' sunspot [0] /bin/grep SOCop /var/sadm/install/contents /usr/local/bin d none 0755 bin bin CUDLimlib2 CUDLft2 SMClibpng SMCncurs SMCslang SMCzlib SMCliconv SMCpcre SMCmutt SMCautoc SMCautom \ SMCscreen SOCop SOCnc SMCjpeg SMCgcrypt SMClgpger SMCpango SMCtiff SMCfontc SMCglib SMCgnutls SMCgtk SMCwires SMCpidgin /usr/local/bin/op f none 4755 root root 132576 4780 1199807701 SOCop /usr/local/etc d none 0755 bin bin SMCslang SMCmutt SMCscreen SOCop SMCpango SMCfontc SMCgtk SMCpidgin /usr/local/etc/op.conf f none 0600 root root 512 42802 1199808350 SOCop /usr/local/man d none 0755 bin bin SMClibpng SMCncurs SMCslang SMCzlib SMCliconv SMCpcre SMCmutt SMCautoc SMCautom SMCscreen SOCop \ SMCjpeg SMCpango SMCreadl SMCtiff SMCfontc SMCglib SMCgnutls SMCpidgin /usr/local/man/man1 d none 0755 bin bin SMCncurs SMCslang SMCliconv SMCpcre SMCmutt SMCautoc SMCscreen SOCop SMCjpeg SMCpango SMCtiff \ SMCglib SMCgnutls SMCpidgin /usr/local/man/man1/op.1 f none 0644 root other 10339 51920 1199807763 SOCop /usr/local/share d none 0755 bin bin CUDLft2 SMCncurs SMCslang SMCliconv SMCmutt SMCautoc SMCautom SMCscreen SOCop SOCnc SOCdelegate \ SMCgcrypt SMClgpger SMCpango SMCrender SMCrenpro SMCtiff SMCatk SMCfontc SMCglib SMCgnutls SMCcairo SMCgtk SMCwires SMCpidgin /usr/local/share/doc d none 0755 bin bin SMCslang SMCliconv SOCop SOCdelegate SMCrender SMCrenpro SMCtiff SMCfontc /usr/local/share/doc/op-1.32 d none 0755 root other SOCop /usr/local/share/doc/op-1.32/AUTHORS f none 0644 root other 126 10963 1199807791 SOCop /usr/local/share/doc/op-1.32/COPYING f none 0644 root other 1192 27717 1199807791 SOCop /usr/local/share/doc/op-1.32/ChangeLog f none 0644 root other 7553 56702 1199807791 SOCop /usr/local/share/doc/op-1.32/README f none 0644 root other 4551 1459 1199807791 SOCop /usr/local/share/doc/op-1.32/op.conf f none 0644 root other 366 30654 1199807791 SOCop /usr/local/share/doc/op-1.32/op.conf.complex f none 0644 root other 2656 27735 1199807791 SOCop /usr/local/share/doc/op-1.32/op.pam f none 0644 root other 67 5744 1199807791 SOCop /usr/local/share/doc/op-1.32/op.paper f none 0644 root other 14827 4222 1199807791 SOCopNote 2: 'pkgchk' options used:
-a audit file attrs (ownership / permissions) -f correct file attributes if possible (does not account for suid, sgid, or sticky bits, but takes care of all other permissions / ownership) -l list information on selected package or files (with -p) -p path file path listing (multiples comma delimited)Note 3: 'pkgchk' and 'rpm' will not correct suid, sgid, or sticky bits,
though will handle all other modes. Use 'chmod' to set suid, sgid,
or sticky bits.
Note 4: sample 'rpm' dump output against a package or file (of note,
'rpm' stores its package database in binary files):
- format is 'path size mtime(epoch) md5sum mode owner group isconfig isdoc rdev symlink' cobblepot [0] /bin/rpm -q --dump op-1.32 /usr/local/bin/op 159098 1208465003 3f0d9e96216ff29094bb5a90064fb314 0104755 root root 0 0 0 X /usr/local/etc/op.conf 658 1208465076 66e39e519cf98c494d1ed9b6866f7bdf 0100600 root root 0 0 0 X /usr/local/share/doc/op-1.32/AUTHORS 126 1208465130 d86048753af9455c097dfd291e69b78a 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/COPYING 1192 1208465130 5c262c13b60ebefe3060aed37d334ab6 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/ChangeLog 7553 1208465130 8c4520c50f5fad805313c388f498c000 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/README 4551 1208465130 c8f9993fe17411a5ff1f1381d27a9c7d 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.conf 366 1208465130 c77ab047e3179da123694576715c2bb7 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.conf.complex 2656 1208465130 5958643c2bd5048436b322da820538cb 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.pam 67 1208465130 4e7ad4ec8f2fe6a40e12bcb2c0b256e3 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.paper 14827 1208465130 fb8a0d127d67e57184dc34949d39e42d 0100644 root root 0 0 0 X cobblepot [0] /bin/rpm -q --dump -f /usr/local/share/doc/op-1.32/README /usr/local/bin/op 159098 1208465003 3f0d9e96216ff29094bb5a90064fb314 0104755 root root 0 0 0 X /usr/local/etc/op.conf 658 1208465076 66e39e519cf98c494d1ed9b6866f7bdf 0100600 root root 0 0 0 X /usr/local/share/doc/op-1.32/AUTHORS 126 1208465130 d86048753af9455c097dfd291e69b78a 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/COPYING 1192 1208465130 5c262c13b60ebefe3060aed37d334ab6 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/ChangeLog 7553 1208465130 8c4520c50f5fad805313c388f498c000 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/README 4551 1208465130 c8f9993fe17411a5ff1f1381d27a9c7d 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.conf 366 1208465130 c77ab047e3179da123694576715c2bb7 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.conf.complex 2656 1208465130 5958643c2bd5048436b322da820538cb 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.pam 67 1208465130 4e7ad4ec8f2fe6a40e12bcb2c0b256e3 0100644 root root 0 0 0 X /usr/local/share/doc/op-1.32/op.paper 14827 1208465130 fb8a0d127d67e57184dc34949d39e42d 0100644 root root 0 0 0 XNote 5: 'rpm' options used:
-q query -f file select package based on specified file --dump dump file information for pkg files, format is: path size mtime md5sum mode owner group isconfig isdoc rdev symlink example: /usr/local/share/doc/op-1.32/README 4551 1208465130 c8f9993fe17411a5ff1f1381d27a9c7d 0100644 root root 0 0 0 X -V verify --setperms reset permissions of all of a pkg's files based on those in pkg DB (does not account for suid / sgid) --setugids reset user / group ownership of all of a pkg's files based on those in pkg DBNote 6: 'rpm' verify output values (example: S.5....T):
S file size differs M mode differs (permissions / file type) 5 MD5 sum differs D device major / minor number mismatch L readlink(2) path mismatch U user ownership differs G group ownership differs T mtime differs
see also:
Fixing an Overly Eager chown in Linux
Fixing an Overly Eager chmod in Linux