Plugin to check MD5 sum on certain files

Dan Stromberg strombrg at dcs.nac.uci.edu
Sat Nov 6 02:49:41 CET 2004


On Fri, 2004-11-05 at 16:47, Andreas Ericsson wrote:
> Dan Spray wrote:
> > A long time ago I used Big Brother for monitoring.  They had a check that I
> > could use where I had pasted the md5sum value into a text file, burned it
> > onto CD and then the current md5sum of a particular file was checked against
> > the known good copy.  I would like to get something else like this again
> > only using Nagios.
> > 
> > What I am after is if someone gets in and changes say the /bin/ls command
> > that I would know about it before just finding that the command doesn't work
> > anymore.
> > 
> 
> Putting only the checksum files on non-writable media is just an 
> exercise in futility, because anyone shrewd enough to replace your ls 
> will be shrewd enough to replace your md5sum program as well. Putting 
> the md5sum program as well on the disk won't work either, because with 
> enough access to overwrite files in /usr/bin they would also be able to 
> change the script that's supposed to run or its configuration, or 
> unmount the CD and put any file they want in the directory it was 
> mounted under (or create a loopback filesystem and mount read-only to 
> simulate a CD) or... Well, I'm sure you see the point.

I believe this would be difficult - generating a trojaned ls with the
same md5 sum.  md5 is designed to distribute small bits of a file, from
all over within that file, across different parts of the digest.

It's not like you can just assume a one to one mapping, or tack some
crud on the end.

Granted, md5 has been broken in limited circumstances for cryptographic
purposes.

But if you were to combine md5 -and- sha-1, it'll be a -very- long time
before anyone forges a trojan with the magic digests.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-lists.org/archive/users/attachments/20041105/887e0e3a/attachment.sig>


More information about the Users mailing list