Question

I want to verify whether a file has been modified or corrupted on my Linux system. I know that hash functions and checksums are commonly used, but I need clarification on:

• Which hashing tools (sha256sum, md5sum, shasum) are best for file integrity checks?
• How to compare a file’s current hash with a previously stored hash?
• How to use tripwire or aide for continuous integrity monitoring?

A step-by-step example of checking a file’s integrity and detecting unauthorized changes would be helpful.

Answer 1

Ensuring the integrity of files on your Linux system is crucial for maintaining security and reliability. File integrity checks help you verify that files have not been tampered with or corrupted. Below, we'll address your questions in detail, providing examples and use cases to guide you through the process.

1. Which hashing tools (sha256sum, md5sum, shasum) are best for file integrity checks?

Hashing tools generate a unique fingerprint (hash) for a file, allowing you to detect changes by comparing current and original hashes. Here's an overview of common hashing tools:

• md5sum: Generates MD5 hashes. While fast, MD5 is considered cryptographically weak and is not recommended for security-sensitive applications due to vulnerabilities that allow hash collisions.

• sha256sum: Generates SHA-256 hashes. Part of the SHA-2 family, SHA-256 offers a good balance between security and performance, making it suitable for most integrity checks.

• shasum: A Perl script that can generate SHA hashes of various lengths (SHA-1, SHA-256, etc.). By default, it produces SHA-1 hashes, which are also considered weak. However, you can specify stronger algorithms using the -a option (e.g., shasum -a 256 for SHA-256).

Recommendation: Use sha256sum for file integrity checks, as it provides a strong balance between security and performance.

2. How to compare a file’s current hash with a previously stored hash?

To verify a file's integrity, follow these steps:

1. Generate and store the original hash:

   sha256sum /path/to/yourfile > yourfile.sha256

   This command calculates the SHA-256 hash of yourfile and saves it to yourfile.sha256.

2. Verify the file's integrity later:

   sha256sum -c yourfile.sha256

   The -c option tells sha256sum to check the file against the stored hash. If the file is unmodified, you'll see:

   yourfile: OK

   If the file has been altered, you'll receive a warning:

   yourfile: FAILED
   sha256sum: WARNING: 1 computed checksum did NOT match

3. How to use Tripwire or AIDE for continuous integrity monitoring?

For continuous monitoring, tools like Tripwire and AIDE (Advanced Intrusion Detection Environment) are effective. Here's a brief overview:

• AIDE:

  • Installation:

    sudo apt-get install aide  # For Debian-based systems
    sudo yum install aide      # For Red Hat-based systems

  • Initialization:

    sudo aide --init

    This creates an initial database (/var/lib/aide/aide.db.new.gz by default) of file attributes and hashes.

  • Set up the database:

    sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

  • Perform integrity checks:

    sudo aide --check

    AIDE will compare the current file system state against the database and report any discrepancies.

• Tripwire:

  • Installation:

    sudo apt-get install tripwire  # For Debian-based systems
    sudo yum install tripwire      # For Red Hat-based systems

  • Initialization:

    During installation, you'll be prompted to create site and local keys. Follow the prompts to generate them.

  • Create the initial policy and database:

    sudo tripwire --init

    This command initializes the Tripwire database based on the policy file, capturing the current state of the file system.

  • Perform integrity checks:

    sudo tripwire --check

    Tripwire will scan the system and report any changes since the last initialization or check.

4. Step-by-step example of checking a file’s integrity and detecting unauthorized changes

Let's walk through an example using sha256sum:

1. Generate and store the original hash:

   sha256sum /path/to/important_file > important_file.sha256

2. Simulate a file modification:

   echo "Unauthorized change" >> /path/to/important_file

3. Verify the file's integrity:

   sha256sum -c important_file.sha256

   Output:

   important_file: FAILED
   sha256sum: WARNING: 1 computed checksum did NOT match

   This indicates that important_file has been altered since the original hash was generated.

Use Cases

• System Administrators: Regularly verify system binaries and configuration files to detect unauthorized changes, ensuring system integrity.

• Developers: Confirm that application files haven't been tampered with, maintaining the trustworthiness of deployed software.

• Security Professionals: Implement continuous monitoring with tools like AIDE or Tripwire to receive alerts on unauthorized file modifications, enhancing security posture.

By incorporating these practices into your routine, you can effectively monitor and maintain the integrity of your Linux system's files.