Already covered: Tripwire, Aide
Here is a custom perl script:
#!/usr/bin/perl
# Usage: stdg path path ...
use File::Find;
use Digest::MD5;
sub get_file_data {
$fname = $File::Find::name;
if (-f) {
@inode = stat(_);
sysopen(fh, $fname, O_RDONLY);
$hash = Digest::MD5->new;
$hash->addfile(*fh);
$md5 = $hash->b64digest;
# print "$fname $ino $mode $nlink $uid $gid $size $ctime $md5\n";
print "$fname $inode[1] $inode[2] $inode[3] $inode[4] $inode[5] $inode[7] $inode[10] $md5\n";
close(fh);
}
}
@ARGV = ('.') unless @ARGV;
find (\&get_file_data, @ARGV);
Exercise 1): Modify this code to recognize device files...
-------------------------------------
Also be aware of the chkrootkit script.
More sophisticated Kernel based countermeasures:
LIDS
Old original kernel based rootkit, Knark
Another is called Adore
A Kernel rootkit checker PatchFinder
Exercise 2): install a rootkit and check for it using chkrootkit and your tripwire
Exercise 3): install a kernel rootkit and check for it using chkrootkit, your tripwire, and patchfinder
Active network intrusion checks:
Portsentry adds scanners to firewall rules
Snort checks for known network attack signatures
ACID checks for IP to MAC address anomolies...
Exercise 4): set up portsentry or snort