This page looks best with JavaScript enabled

mtree

 ·  🎃 kr0m

Mtree is a utility to generate hashes of a file hierarchy. These hashes will be regenerated periodically to be compared with the saved ones, thus detecting modifications in the file system. This is very useful to detect intrusions. If the hashes are saved in a file system with only append permissions or in a remote server, the system’s robustness increases considerably since the intruder will not be able to modify the hashes to match the installed binaries or modified files.

We generate the list of hashes:

mtree -s SEED -c -K cksum,sha256digest -p /bin > /root/.bin_chksum_mtree

We generate the list again but compare it with the previous one:

mtree -s SEED -p /bin < /root/.bin_chksum_mtree » /root/.bin_chksum_output

We check that there is nothing in the output:

cat /root/.bin_chksum_output

We make a change and check again:

touch /bin/deleteme
mtree -s SEED -p /bin < /root/.bin_chksum_mtree » /root/.bin_chksum_output
cat /root/.bin_chksum_output

.: modification time (Wed Apr 3 21:56:03 2019, Tue Apr 16 22:27:50 2019)
extra: deleteme

We delete the change:

rm /bin/deleteme

We can create a script that runs via cron and notifies us via Telegram of any detected changes. In my case, I write it in bash because I am more familiar with this shell.

We install the necessary software:

pkg install curl

We create the necessary directories:

mkdir -p /root/.scripts/mtreeCheckOutput
cd /root/.scripts/
vi mtreeCheck

#!/usr/local/bin/bash
if [ $# -ne 1 ]; then
        echo -e "++ ERROR: You must provide one command generate/clear/check"
        exit
fi

function sendTelegram {
        curl -s -X POST https://api.telegram.org/botAPI_KEY/sendMessage -d chat_id=CHAT_ID -d text="$1"
}

COMMAND=$1
SEED='XXXXXXXXXXXX'
mtreeCheckResultPath='/root/.scripts/mtreeCheckOutput'
for DIR in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /etc /usr/local/etc; do
    DIR_NAME=$(echo $DIR|tr -d /)
    case $COMMAND in
        generate )
            mtree -s $SEED -c -K cksum,sha256digest -p $DIR > $mtreeCheckResultPath/$DIR_NAME
        ;;
        clear )
            rm $mtreeCheckResultPath/* 2>/dev/null
        ;;
        check )
            if [ ! -f $mtreeCheckResultPath/$DIR_NAME ]; then
                echo -e "++ ERROR: You must execute generate command before check"
                exit
            fi
            mtree -s $SEED -p $DIR < $mtreeCheckResultPath/$DIR_NAME|grep 'modification time'
            if [ $? -eq 0 ]; then
                echo -e "++ ERROR: Mtree - Missmatch detected in $DIR"
                sendTelegram "Mtree - Missmatch detected in $DIR"
            fi
        ;;
        * )
            echo -e "++ ERROR: Command unknown"
            exit
        ;;
    esac
done

We schedule the task every 30 minutes:

crontab -e

#minute hour mday month wday who command
*/30 * * * * /root/.scripts/mtreeCheck check

NOTE: mtree is also available for Linux sys-apps/mtree

If you liked the article, you can treat me to a RedBull here