If you have a very static Linux server and you want to make sure it's not messed with, here's a simple script that will tell you if any files have been tampered with. It's not as fancy or as secure as tripwire or those others, but it is very simple. It can be easily adapted to any *NIX OS.
#!/bin/sh
## How often to run (in seconds)
PERIOD=3600
## Any files or directories that always change, add here:
EXCLUDE="/proc/ /sys/ /dev/ /var/log /var/run/ /var/lock/ /var/cache/ /var/tmp/ /tmp/ /var/lib/ldap/"
EXCLUDE="$EXCLUDE /var/spool/ /etc/prelink.cache /etc/ld.so.cache /var/lib/logrotate.status /var/lib/slocate/"
EXCLUDE="$EXCLUDE /.*\.viminfo /var/lib/md5sigs"
SIGS=/var/lib/md5sigs
TEMP=/tmp/sigs-$$
umask 077
#
while true; do
# calculate md5sum of all files not in EXCLUDE
exclude_re=`echo "^("$EXCLUDE")" | sed 's/ */|/g'`
find / -type f -print 2>/dev/null |
grep -Ev "$exclude_re" |
LC_ALL=C sort |
xargs md5sum 2>/dev/null >$TEMP
# Compare against existing database (or use this one for new database)
if test -f /root/.md5sigs ;then
diff -w -h $SIGS $TEMP >$TEMP.diff
if [ -s $TEMP.diff ]; then
mail -s "File scan Report" root <$TEMP.diff
exit 1
fi
rm -f $TEMP $TEMP.diff
else
mv $TEMP $SIGS
echo "No prior existing report."
fi
sleep $PERIOD
done
# Copyright 2009 by Otheus, licensed under GNU v2 Public License