I once said you can use md5sum on a bunch of files and compare the sums to a list as a sort of tripwire to check for tampered files.

You might want to do this to make sure a set of configuration files don’t get changed, or to figure out which files get changed when you build that random source code as root! (note to self: don’t make as root unless you have to, rpmbuild is bad enough!)

But here’s a better way!

To take a checksum snapshot of all the files in /etc
====# find /etc -type f -exec sha1sum {} \; > ~/sha1sum_etc====

And then to check for files that have changed since you last made that checksum list
====# sha1sum -c ~/sha1sum_etc | grep -v OK====

Posted on April 22nd, by admica in security.

Comments Off

batch check checksum md5sum sha1sum tampering