(imported topic written by NoahSalzman)
Occasionally we get asked if there is a way to periodically check the SHA1 (or MD5) hash of a set of files. This is
not
a file integrity security tool replacement, especially since you are storing the file-of-record on the target endpoint. But, if you already have BigFix deployed and you just need to check a few files, it certainly can be useful.
h2.First, create an Action that contains initializes a list of sha1 hashes on Windows and *nix. Note that the lists in this Actions are formatted such that you can just use the “drag down and fill” feature of Excel to generate the parameter names.
// Action Script to generate a list of files and there hashes
if
{windows of operating system
}
// parameter "sha1file" = "{"c:\sha1_record_" & current year as string & current month as two digits & current day_of_month as string & ".txt"}" parameter
"sha1file" =
"{"c:\sha1_record.txt
"}" parameter
"1" =
"c:\windows\system32\ntdll.dll" parameter
"2" =
"c:\windows\system32\kernel32.dll" parameter
"3" =
"c:\windows\system32\shell32.dll" parameter
"4" =
"c:\windows\system32\mshtml.dll" parameter
"5" =
"c:\windows\system32\ntoskrnl.exe" delete
"{parameter "sha1file
"}" createfile until _END_
{(pathname of it as string &
" " & sha1 of it) of file (parameter
"1")
}
{(pathname of it as string &
" " & sha1 of it) of file (parameter
"2")
}
{(pathname of it as string &
" " & sha1 of it) of file (parameter
"3")
}
{(pathname of it as string &
" " & sha1 of it) of file (parameter
"4")
}
{(pathname of it as string &
" " & sha1 of it) of file (parameter
"5")
} _END_ copy __createfile
"{parameter "sha1file
"}"
else
// parameter "sha1file" = "{"/tmp/sha1_record_" & current year as string & current month as two digits & current day_of_month as string & ".txt"}"
// parameter "sha1file" = "{"/tmp/sha1_record.txt"}" parameter
"1" =
"/bin/bash" parameter
"2" =
"/sbin/launchd" parameter
"3" =
"/sbin/mount" delete
"{parameter "sha1file
"}" createfile until _END_
{parameter
"1"
}
{sha1 of file (parameter
"1")
}
{parameter
"2"
}
{sha1 of file (parameter
"2")
}
{parameter
"3"
}
{sha1 of file (parameter
"3")
} _END_ copy __createfile
"{parameter "sha1file
"}" endif
h2.Second, create an property that tracks if there are any subsequent changes to the files. You could name this property something like “Files failed integrity check.”
if (windows of operating system) then (items 2 of (((sha1 of file (item 0 of it)), item 1 of it, item 0 of it) of (preceding texts of firsts
" " of it, following texts of firsts
" " of it) of (lines of file
"c:/sha1_record.txt")) whose (item 0 of it != item 1 of it))
else (items 2 of (((sha1 of file (item 0 of it)), item 1 of it, item 0 of it) of (preceding texts of firsts
" " of it, following texts of firsts
" " of it) of (lines of file
"/tmp/sha1_record.txt")) whose (item 0 of it != item 1 of it))
Some notes:
- You probably should store the file in a place only writable by SYSTEM or root
- BigFix gets it’s speed and scalability, in part, by avoiding heavyweight disk operations. With that in mind you should avoid a very long list of files.