"riley" is a file integrity checker. It checks to see that specified files/directories have not been tampered with. It's been tested only under RedHat Linux 6.2/7.2 so far. It requires Perl and the Digest::MD5 Perl package (available from www.cpan.org)
This is free code. It comes with NO GUARANTEE, none, nada, zilch. You can do anything you want with it, except claim you wrote it or that I didn't. Don't bother even thinking about trying to sue me, my company, my estate, or my heirs because of some deluded belief (or some cheap lawyer's urgings) that the reading or use of this code caused you or anybody any measurable harm. If you do, you'll lose, I'll countersue and get everything you own, your significant other will leave you in disgust, everybody on the Internet will mock you forever, and old ladies will cross the street to kick your dog.
Constructive comments, beer, and/or money are welcome. Flames and/or spam -> /dev/null.
Reid Fleming <reid@bigredrockeater.com>
How it works:
Running 'riley -initialize' puts a file called '.riley' in each directory specified in the configuration file. Each '.riley' file contains N one-line descriptions, one description per file. Each description contains the name of the file, type, size, owner, group, permissions, and number of links. If the file is a regular file, each description also contains an MD5 checksum of the contents of the file. Each '.riley' file also contains a MD5 checksum of the file itself to forestall tampering.
Running 'riley -examine' compares the current state of every file against the description created earlier by running 'riley -initialize'. If anything has changed, it notes the change both in the system log file and via email. It also notes the existance of new files as well as the non-existance of deleted files.
If you're feeling paranoid, you can run 'riley -correct' instead of 'riley -examine'. Doing this changes the permissions/ownership of changed files back to what the description file says they should be. 'riley -correct' treats new files suspiciously, changing their ownership/ group to nobody/nobody (99/99 on most RedHat systems), and their permissions to 0. If you don't want to use 'nobody/nobody', change the values of the global variables '$unpriv_u' and '$unpriv_g' to something else, perhaps an owner/group you've specifically created for the occasion.
How to use it:
Install Perl and the Digest::MD5 Perl package if not already installed. If perl isn't installed in "/usr/bin", edit riley and change the first line to point to where perl is installed on your system.
Next, create a secure directory for riley to create temporary files in. The default is "/root/tmp/". Do NOT use "/tmp" or "/usr/tmp" or any other directory that has world write access. If you want to use another directory, you'll have to edit both "install.sh" and "riley" and change the value of "safedir".
Next, run the program "install.sh" as root to install riley in "/usr/local/bin" and the configuration file in "/etc".
Next, edit "/etc/riley.conf" to suit your system. Then type "riley -initialize".
Finally, add an entry to "/etc/crontab" that runs "riley -examine" or "riley -correct" every N minutes, and restart crond. I don't recommend setting "N" to be less than 10 minutes.
Running 'riley -cleanup' will remove any temporary files left hanging around if 'riley -initialize' or 'riley -examine' should be interrupted or crash.