File Check Hash Generator – Recursive Tripwire

finger pointing at security textYou can use this to check to see if anyone has modified, updated, upgraded, added, or removed any files on your system. After you’ve configured a system the way you want it, dump hash files for all the important directories, /etc, /bin, /usr/local, etc., or just dump the whole thing. Move the output to another system. Now if you want to check to see if something has changed, you can hash the file(s) in question and grep for the hash.

A directory like /etc has many subdirectories with subdirectories of their own – not a problem. When the script encounters a directory, it recursively calls itself so it will parse all child directories. Skipping special files should avoid the problem of probing char files, proc, and other gotchas. know it could be better. There’s things like pid files that are useless to hash.

This was just a quick stab at it. Feel free to adapt this to your own needs as you see fit.

Bash script:

#!/bin/bash
md5sum=/usr/bin/md5sum # hash algorithm to use
mkdir=/bin/mkdir
indir=${1} # base input directory to start hashing files
outfile=${2} # full path of output file

if [ "${indir}" == "" -o "${outfile}" == "" ]; then
  echo "Usage: $0  "
  echo "  ex: $0 /etc /root/etc.hash"
  exit 1
fi

for x in `ls "${indir}"`; do
  if [ -d ${indir}/$x ]; then # is a dir
    echo "[ Recursively hashing ${indir}/$x ]"
    $0 ${indir}/$x ${outfile} # pass new path in
    if [ $? != 0 ]; then # recursive call failed, die
      echo "Could not hash ${indir}/$x"
      exit 1
    fi
  else # is not a dir
    if [ -f ${indir}/$x ]; then # regular files only
      ${md5sum} "${indir}/$x" >> "${outfile}"
    fi
  fi
done

exit 0