From 184391b12e7e939c33b861211abec34e43372bc5 Mon Sep 17 00:00:00 2001
From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Sat, 30 Apr 2011 01:18:07 -0700
Subject: initial file_system_reporter.sh

---
 src/file_system_reporter.sh | 92 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100755 src/file_system_reporter.sh

(limited to 'src/file_system_reporter.sh')

diff --git a/src/file_system_reporter.sh b/src/file_system_reporter.sh
new file mode 100755
index 0000000..e88d70d
--- /dev/null
+++ b/src/file_system_reporter.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+#
+# file_system_reporter.sh - hash the files on the boot device and compare
+#
+# This hashes files in $BOOTDEVICE_FILESYSTEM recursively and hashes the entire
+# $BOOTDEVICE as well This must be run as root or as a user that has access to
+# the specific device.
+#
+
+BOOTDEVICE="/dev/sda1";
+BOOTDEVICE_FILESYSTEM="/boot/";
+STATE_DIR="/var/lib/smartmonster";
+PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/previous_bootdevice_files_state";
+CURRENT_BOOTDEVICE_FILESYSTEM_FILE="$STATE_DIR/current_bootdevice_files_state";
+PREVIOUS_BOOTDEVICE_RAW_FILE="$STATE_DIR/previous_bootdevice_raw_state";
+CURRENT_BOOTDEVICE_RAW_FILE="$STATE_DIR/current_bootdevice_raw_state";
+TAMPER=0;
+HASHER="`which sha256deep`";
+HASHER_ARGS="-r";
+
+if [ "$USER" != "root" ];
+then
+  echo "You must be root!";
+  exit 1;
+fi
+
+# XXX: Hello TOCTOU!
+if [ ! -d "$STATE_DIR" ];
+then
+  echo "You have no $STATE_DIR; creating it!";
+  mkdir -p $STATE_DIR;
+
+  if [ $? != 0 ];
+  then
+    echo "Unable to create $STATE_DIR!";
+    exit 1;
+  fi
+
+fi
+
+# Hash all files and store the state in $STATE_DIR
+echo "Hashing files in $BOOTDEVICE_FILESYSTEM";
+if [ ! -f "$PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE" ];
+then
+  echo "You have no $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE!";
+  echo "Assuming first run and populating with hashes!";
+  $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE;
+  cp -f $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $CURRENT_BOOTDEVICE_FILESYSTEM_FILE;
+else
+  $HASHER $HASHER_ARGS $BOOTDEVICE_FILESYSTEM > $CURRENT_BOOTDEVICE_FILESYSTEM_FILE;
+fi
+
+# Diff and recurse
+HASHER_ARGS="-r -x";
+# Now attempt to detect a miss-match of hashes in the $BOOTDEVICE_FILE path
+$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_FILESYSTEM_FILE $BOOTDEVICE_FILESYSTEM;
+HASHER_RESULT=$?;
+if [ "$HASHER_RESULT" -ge 2 ];
+then
+  echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?";
+  TAMPER=1;
+fi
+
+# Hash $BOOTDEVICE and store the state in $STATE_DIR
+echo "Hashing $BOOTDEVICE";
+if [ ! -f "$PREVIOUS_BOOTDEVICE_RAW_FILE" ];
+then
+  echo "You have no $PREVIOUS_BOOTDEVICE_RAW_FILE!";
+  echo "Assuming first run and populating with hashes!";
+  $HASHER $BOOTDEVICE > $PREVIOUS_BOOTDEVICE_RAW_FILE;
+else
+  $HASHER $BOOTDEVICE > $CURRENT_BOOTDEVICE_RAW_FILE;
+fi
+
+# Diff
+HASHER_ARGS="-x";
+# Now attempt to detect a miss-match with the $BOOTDEVICE itself
+$HASHER $HASHER_ARGS $PREVIOUS_BOOTDEVICE_RAW_FILE $BOOTDEVICE;
+HASHER_RESULT=$?;
+if [ "$HASHER_RESULT" -ge 3 ];
+then
+  echo "Files on $BOOTDEVICE_FILESYSTEM appear to be mismatched - tampering detected?";
+  TAMPER=1;
+fi
+
+if [ "$TAMPER" -eq 1 ];
+then
+  echo "Possible tampering detected - please inspect with caution!";
+  exit 1;
+else
+  exit 0;
+fi
-- 
cgit v1.2.3