Booting from a Knoppix CD is a way to work around the immediate symptom, but
the problem is that many of those files change constantly. I've yet to find an
acceptable workaround to those locked files while fingerprinting a live system.
I'm actually working on a related project at the moment:
I'm using sha256deep (a part of the md5deep distribution) in conjunction with
some Python and a PostgreSQL database to maintain a current fingerprint of my
Windows and Linux servers. I'm tracking better than 600k files at the moment,
at about 50% deployment.
The Python script nightly compares the fingerprints stored in the database with
the latest set from sha256deep, and commits any changes to the database. I
have triggers set to archive all changes to the fingerprint table in a separate
table, so I get a history of file changes. I have a primitive PHP front-end,
and am hoping to implement features such as server comparisons. The
possibilities are almost endless.
With this arrangement, I get the benefit that my fingerprint database is stored
off the server that's being monitored, and that it can't be modified without
leaving an audit trail that can't be purged by the account used to update the
fingerprint database. It's also centrally stored, which makes it easy to back
up, and amazingly fun to monitor. I've been using afick (which is a great
program, btw), but an email a day from each of my servers proved to be a bit
much.
I'm planning on releasing the code at some point. It's a personal project coded
on my own time, and it's not at all polished... but the concept is simple. I
googled everywhere for something like it, but came up empty handed.
When I'm done with this, I hope to do the Windows registry. I hear tell that
Python has a registry API...
Regards,
Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts@deforest.k12.wi.us>
console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device
for displaying or printing condolances or obituaries for the operator.
-- Stan Kelly-Bootle, The Computer Contradictionary.
jbryner1@yahoo.com 04/06/05 06:42PM >>>
I'm attempting to get a fingerprint of servers prior to putting them
into production (ports and file hashes) for use later if the servers
are compromised.
For file hashes I'm using md5deep on linux over an smbmount to a
windows server and keep running into this message on several files:
md5deep: WINNT/system32/config/default: error at offset 2138112: Text
file busy
My command line is (from the mount point of the smb share):
smbmount# md5deep -r -l -of WINNT/* >> output.md5deep.txt
Seems like it's hitting files that the server is changing or has
locked. How do I work around this?
Thanks,
Jeff.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
