[ale] Diff the whole file system?

Lightner, Jeff JLightner at water.com
Fri Mar 23 10:17:00 EDT 2012


I once had to give sudo access to DBAs to run Oracle's root.sh script for installations.   Since it would be way to easy to modify root.sh to exploit root I setup a script that would mail the contents of root.sh before executing it.   That way I could examine the script they actually ran to verify it hadn't been monkeyed with.

#!/bin/bash
#
# Script to allow DBAs to run root.sh script during installation.
# Initial write 12-Mar-2008 jlightne
#

ROOT_SH=$1
PID=$$

# First see if this was called directly via sudo.  Error out if not.
# (User must run as themselves NOT as Oracle/Application admin user.)
#
if [ ! $SUDO_USER ]
then echo ERROR: This command must be run by sudo.
     exit 1
fi

# Set a temporary working directory then get environment information
# that was passed into this invocation for later email/review.
#
SUDO_TMP=/usr/local/bin/sudo_tmp
SETFILE=${SUDO_TMP}/root_sh_env.$PID
echo "'who am i' reports: `who am i`" >$SETFILE
set >>$SETFILE


# Insure /bin and /usr/bin are in PATH
#
PATH=$PATH:/bin:/usr/bin

# To do the attachments we need uuencode.  Error out if it doesn't exist.
# FYI:  sharutils is the package that installs uuencode.
#
UUENCODE=/usr/bin/uuencode
if [ ! -x $UUENCODE ]
then echo "ERROR: uuencode command not found.  Contact UNIX Admins."
     exit 1
#else echo uuencode exists
fi

# Get basename of the script requested to be run.  Error out if not "root.sh"
#
BASEROOTSH=`basename $ROOT_SH`
if [ ! ${BASEROOTSH} = root.sh ]
then echo "ERROR: This command only works on root.sh scripts provided by Oracle"
     exit 1
else echo "Command is root.sh"
fi

# Allow user to run ./root.sh or /full/pathto/root.sh - determine top level
# directory either based on user input of full path or with pwd command if "./".
#
if echo $ROOT_SH |grep '\./root.sh' >/dev/null 2>&1
then PARENTDIR=`pwd |awk -F/ '{print $2}'`
     DIRNAME=`pwd`
else PARENTDIR=`echo $ROOT_SH |awk -F/ '{print $2}'`
     DIRNAME=`dirname $ROOT_SH`
fi

# If the tol level directory determine above is not /oracle or /appl_top
# error out and tell user it must be one of those.
#
echo Top level directory is /$PARENTDIR
if ! [ ${PARENTDIR} = oracle -o ${PARENTDIR} = appl_top ]
then echo -e "ERROR:  This command only works on root.sh under /oracle or /appl_top \n        top level directories."
     exit 1
fi

# Specifically prevent use of ".." within full path if input to prevent
# attempts to bypass top level directory test (
# e.g. /oracle/../root/root.sh not allowed because it same as /root/root.sh
#
echo Full path of command is ${DIRNAME}/${BASEROOTSH}.
if echo $ROOT_SH |grep '\.\.' >/dev/null 2>&1
then echo ERROR: You may not include .. in path of root.sh.  Input full path.
     exit 1
fi

# Now we need to convert the root.sh to dos ascii so it will be readable as
# attachment when emailed.
#
unix2dos -q -n $ROOT_SH ${SUDO_TMP}/root.sh.$PID
unix2dos -q $SETFILE

# Now do the email to UNIX Admins.
# Sent the text of the root.sh as an attachment and also send the enviornment
# file created earlier as an attachment.
# NOTE:  Exchange spam filter blows up on .sh and other suffixes which is why
#        .txt is appended to the file names sent.
#
(echo -e "${DIRNAME}/${BASEROOTSH} run by ${SUDO_USER} at `date`.\n\nSee attachments for contents of ${BASEROOTSH} as well as the environment at the time it was run.";uuencode ${SUDO_TMP}/root.sh.$PID root.sh.txt;uuencode $SETFILE env.txt) |mailx -s "Oracle root.sh run by ${SUDO_USER}" user at example.com user2 at example.com

# Wait 10 seconds before actually running the script to give the email time
# to be sent in case this is a hack attempt.
#
echo $ROOT_SH will run as root in 10 seconds.
sleep 10
echo Running now.
$ROOT_SH

# Remove the temporary file created earlier
#
rm ${SUDO_TMP}/root.sh.$PID $SETFILE





-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Ed Cashin
Sent: Friday, March 23, 2012 10:05 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Diff the whole file system?

I wrote something a lot more simple than tripwire.  tripwire was fine
but took forever to fully understand and didn't seem convenient
enough.  My integrit software was designed to be "done", not active,
so it hasn't been updated in a long time, but it ought to work.

  http://sourceforge.net/projects/integrit/

But anyway that will just tell you what has changed, not how, as diff
would for text files.

To get a diff, you could use rsync to make a remote backup like this
at leisure beforehand (untested):

  set -xe
  for d in / /var; do
    nice -n 20 rsync -axc "$d" fruity:/backups/A"$d"
  done

... then later on host "fruity", create hard links (a fast operation
taking up very little extra space),

  cp -al /backups/A /backups/B

... then after the changes have been made on the host you're worried
about, rsync again but do it to "B", not "A", transmitting only things
that have changed.  That way on fruity, you can do,

  cd /backups
  diff -urN A B

On Fri, Mar 23, 2012 at 9:25 AM, Brian Stanaland <brian at stanaland.org> wrote:
> Have you checked out Tripwire? It's typically used to check config files for
> changes so I don't know how well it'd handle the whole file system but it's
> worth a look.
>
> Brian S.
>
>
>
> On Friday, March 23, 2012, James Sumners <james.sumners at gmail.com> wrote:
>> I have a situation where I'm being forced to allow a remote installer
>> to have root level sudo access to install their company's product
>> (don't like it, but it's out of my hands). Technically, I have the
>> system setup such that they should not need such access, but I can't
>> change the monkey's script. Anyway, I'd like to be able to sort of
>> "snapshot" my file system before I let them in so that I can go back
>> and look at a before and after difference. Do any of you know of such
>> a tool? Could this be done with rsync?
>>
>> I've read that LVM supports snapshots at the block level. Seeing as
>> they are block level snapshots I don't see how that will help me
>> figure out what the installer changed. I'd be able to revert the
>> changes, but not study them.
>>
>> --
>> James Sumners
>> http://james.roomfullofmirrors.com/
>>
>> "All governments suffer a recurring problem: Power attracts
>> pathological personalities. It is not that power corrupts but that it
>> is magnetic to the corruptible. Such people have a tendency to become
>> drunk on violence, a condition to which they are quickly addicted."
>>
>> Missionaria Protectiva, Text QIV (decto)
>> CH:D 59
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> --
> The more laws and order are made prominent,
> The more thieves and robbers there will be. Lao-tzu, The Way of Lao-tzu
> Chinese philosopher (604 BC - 531 BC)
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



--
  Ed Cashin <ecashin at noserose.net>
  http://noserose.net/e/
  http://www.coraid.com/

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo




Athena®, Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------




More information about the Ale mailing list