[Inspired by https://calomel.org/ids_mtree.html]
A shell script to build a file hierarchy specification file containing the hierarchy and cksum's for each file ("generate"), and a routine to compare that file against the actual directories ("verify") to spot changes. "Generate" by hand, and "verify" with cron.
#! /usr/local/bin/bash
#
## Calomel.org ids.sh
# from https://calomel.org/ids_mtree.html
#
if [ $# -eq 0 ]
then
echo ""
echo "ids.sh \$arg"
echo "--------------------------------------"
echo "generate = generate IDS signatures"
echo "verify = verify files against known signatures"
echo ""
exit
fi
## IDS seed signature key
KEY=41549581542077184143999
## mtree binary (OpenBSD: mtree and Linux: freebsd-mtree)
MTREE=/usr/sbin/mtree
MTREE_ARGS="-c -K cksum,md5,sha1,sha512 -s $KEY"
## IDS signature directory
DIR=/root/ids_dir
if [ $1 = "generate" ]
then
rm -rf $DIR/mtree_*
cd $DIR
$MTREE $MTREE_ARGS -X $DIR/exclude-zfs -p /bin > mtree_bin
$MTREE $MTREE_ARGS -X $DIR/exclude-zfs -p /sbin > mtree_sbin
$MTREE $MTREE_ARGS -X $DIR/exclude-files -p /usr > mtree_usr
$MTREE $MTREE_ARGS -X $DIR/exclude-zfs -p /etc > mtree_etc
logger IDS generate IDS signatures
chmod 600 $DIR/mtree_*
exit
fi
if [ $1 = "verify" ]
then
cd $DIR
$MTREE -s $KEY -X $DIR/exclude-zfs -p /bin < mtree_bin >> temp 2>&1
$MTREE -s $KEY -X $DIR/exclude-zfs -p /sbin < mtree_sbin >> temp 2>&1
$MTREE -s $KEY -X $DIR/exclude-files -p /usr < mtree_usr >> temp 2>&1
$MTREE -s $KEY -X $DIR/exclude-zfs -p /etc < mtree_etc >> temp 2>&1
cat temp | mail -s "`hostname` file integrity check" <my email address>
rm temp
logger IDS verify files against known signatures
exit
fi
Some of the directories in /usr are enormous (esp. .zfs directories) and should be excluded in exclude-files:
./local/www/apache24/data/.zfs ./home ./ports ./local/dcc