If you use Linux and if you're interested in intrusion detection at all, you've probably heard about Tripwire and other utilities that will "fingerprint" the files on your system with an MD5 cryptographic checksum and periodically check the integrity of those files to be sure they haven't been tampered with. Unfortunately, packages like Tripwire can be very difficult and time consuming to configure properly, especially for Linux novices.

The good news is that you don't need Tripwire to create and check md5sums on your system files. Linux comes with everything you need to do it with a couple of simple commands. Creating a checksum for a file is as easy as the following command:

Code:
problemchild@localhost $ md5sum /bin/su
b749ebe140ad89e8b102aa8852e75a78 /bin/su
Obviously, you don't want to do this for every file on your system, so you can automate the process quite a bit. First, build a list of files whose integrity you would like to ensure. I would suggest starting with these files, but you can and probably should add to the list as your needs dictate:

/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/du
/usr/bin/find
/usr/bin/killall
/usr/bin/passwd
/usr/bin/pidof
/usr/bin/top
/bin/login
/bin/ls
/bin/netstat
/bin/ps
/sbin/ifconfig
/sbin/route
/usr/sbin/syslogd
/usr/sbin/tcpd
/etc/fstab
/etc/group
/etc/inittab
/etc/login.access
/etc/passwd
/etc/profile
/etc/services
/etc/shadow

Once you have the list, save it in a text file, for example "filelist." Be sure to include the absolute path to the file. Then you can create the md5sums by using the "cat" command to list the contents of the file and then running md5sum on the output. The resulting md5sums can then be stored in a text file called "files.md5" Note that the "`" character in the example is not a single quote. It is the chracter found to the left of the "1" key on most US keyboards. (I don't know the name of this character. I've used it for years without knowing its proper name.)

Code:
problemchild@localhost $  md5sum `cat filelist` > files.md5
A quick look at the resulting files.md5 will reveal the following contents:

af5b7a03593229535924825a34394a2b /usr/bin/chfn
0c4a449142ab7e21a1d72a9f101dc644 /usr/bin/chsh
f1c01f37780f516e1f2bfe3dff01f9f9 /usr/bin/crontab
d9d57d56a5c7a7ed810b709a7d8079b8 /usr/bin/du
6eeb6fb51300b30a05b7c1bea6ef0884 /usr/bin/find
39404d1879e0de2b5637d19ece410291 /usr/bin/killall
7f86015501636a33085a0504186810c2 /usr/bin/passwd
39404d1879e0de2b5637d19ece410291 /usr/bin/pidof
f5b2ed7e8004d66b6e6e6ee701324b45 /usr/bin/top
b749ebe140ad89e8b102aa8852e75a78 /bin/login
d33f094819a9b2042fb84a343e800523 /bin/ls
4aed19d3e4e9fc83db19a9c3a3b7c6e1 /bin/netstat
b9ec2d135b545fbb4bb7454aa02864f8 /bin/ps
6fe9e4a8dbf154988bec0822e498f75e /sbin/ifconfig
8c1b42308acdf16edb1f82f8afe4e1f3 /sbin/route
cd5f32e15080064869ebae781e43518c /usr/sbin/syslogd
1983c7e6da50430f01385df369468e77 /usr/sbin/tcpd
56b68efdc4be309a04de15e346f7041f /etc/fstab
fa28b3c4d18596ff615dec7b4d48f176 /etc/group
3c6be6e9c948214c89df452c5eff54d1 /etc/inittab
d30c542d565436bd5333a80466d5ccf8 /etc/login.access
45547a1f47cdb8c802e9c056357092dd /etc/passwd
b466ad437cc0d53f3d25a45b02427a19 /etc/profile
6dcf38ae8c007e116f2a57bd27a389b7 /etc/services
d52d60ea13161c6eb67081730bbc99aa /etc/shadow

There you have all your md5sums in a nice, neat package. Verifying the files is done with the command 'md5sum -c files.md5'

Code:
problemchild@localhost $ md5sum -c files.md5
/usr/bin/chfn: OK
/usr/bin/chsh: OK
/usr/bin/crontab: OK
/usr/bin/du: OK
/usr/bin/find: OK
/usr/bin/killall: OK
/usr/bin/passwd: OK
/usr/bin/pidof: OK
/usr/bin/top: OK
/bin/login: OK
/bin/ls: OK
/bin/netstat: OK
/bin/ps: OK
/sbin/ifconfig: OK
/sbin/route: OK
/usr/sbin/syslogd: OK
/usr/sbin/tcpd: OK
/etc/fstab: OK
/etc/group: OK
/etc/inittab: OK
/etc/login.access: OK
/etc/passwd: OK
/etc/profile: OK
/etc/services: OK
/etc/shadow: OK
Once you create your md5sums, remember to move them off of the system and put them in a secure location, preferably some removable medium that can be stored safely. Also, if you upgrade any packages on your system, you will need to generate new md5sums to reflect the changes in the files. By doing this regularly, you'll know if any unwelcome guests start tampering with system files.