web データ改竄監視スクリプト＠FreeBSD+apache

動作は単純だが、初めからのフルスクラッチだと、大儀なので忘備録として掲載しておく。

crontab(1) に突っ込む際にコンテンツファイルの読みだし権限のある、ユーザーで回す事。
ex. crontab -u www
デフォルトだと、監視対象のディレクトリは以下の通り。

www/example.co.jp/cgi-bin
www/example.co.jp/data

ログ置き場ディレクトリは以下の通り。

/var/log/tamperingdetection/

crontab

MAILTO=管理者のメールアドレス
TZ=JST-09   #必要なら日本標準時でメール送信
0,30    *   *   *   *   /usr/local/bin/CHECKSUM.sh
10,40   *   *   *   *   /usr/local/bin/DELETESUM.sh
@daily                  /usr/local/bin/LOGROTATE.sh

/usr/local/bin/CHECKSUM.sh

#!/bin/sh
#
# Web data tamper monitoring script
# 2016/01/15 by JE3KMZ
# 2016/02/01 modify JE3KMZ
#   Excluded "other_status/index.html"
#

trap 'cleanExit 0' INT
oldfiles=${TMP:-/tmp}/_mente_OLDFILES.$$
newfiles=${TMP:-/tmp}/_mente_NEWFILES.$$
lostfiles=${TMP:-/tmp}/_mente_LOSTFILES.$$
makefiles=${TMP:-/tmp}/_mente_MAKEFILES.$$
allfiles=${TMP:-/tmp}/_mente_ALLFILES.$$
lostoutput=${TMP:-/tmp}/_mente_LOSTOUTPUT.$$
makeoutput=${TMP:-/tmp}/_mente_MAKEOUTPUT.$$

cleanExit() {
    /bin/rm -f ${oldfiles} ${newfiles} ${lostfiles} ${makefiles} ${allfiles} ${lostoutput} ${makeoutput}
    exit ${1:-0}
}

NOW=`/usr/bin/env TZ=JST-09 /bin/date +'%Y%m%d%H%M'`
OLD=`/usr/bin/env TZ=JST-09 /bin/date -v-30M +'%Y%m%d%H%M'`

DATANOW=/var/log/tamperingdetection/${NOW}-datadir.sum
CGINOW=/var/log/tamperingdetection/${NOW}-cgidir.sum
DATAOLD=/var/log/tamperingdetection/${OLD}-datadir.sum
CGIOLD=/var/log/tamperingdetection/${OLD}-cgidir.sum

cd /www/example.co.jp/data && /usr/bin/find * -type f -exec /sbin/sha256 -r "{}" \+ 2> /dev/null | /usr/bin/grep -v "other_status/index.html" > ${DATANOW}
cd /www/example.co.jp/cgi-bin && /usr/bin/find * -type f -exec /sbin/sha256 -r "{}" \+ 2> /dev/null | /usr/bin/grep -v "other_status/index.html" > ${CGINOW}

/usr/bin/diff -up ${DATAOLD} ${DATANOW} 2> /dev/null | /usr/bin/tail +3 | /usr/bin/grep "^-" | /usr/bin/sed 's|^-||' > ${oldfiles}
/usr/bin/diff -up ${CGIOLD} ${CGINOW} 2> /dev/null | /usr/bin/tail +3 | /usr/bin/grep "^-" | /usr/bin/sed 's|^-||' >> ${oldfiles}
/usr/bin/diff -up ${DATAOLD} ${DATANOW} 2> /dev/null | /usr/bin/tail +3 | /usr/bin/grep "^\+" | /usr/bin/sed 's|^+||' > ${newfiles}
/usr/bin/diff -up ${CGIOLD} ${CGINOW} 2> /dev/null | /usr/bin/tail +3 | /usr/bin/grep "^\+" | /usr/bin/sed 's|^+||' >> ${newfiles}

/usr/bin/diff -up ${oldfiles} ${newfiles} | /usr/bin/tail +3 | /usr/bin/grep "^-" | /usr/bin/sed 's|^-||' > ${lostfiles}
/usr/bin/diff -up ${oldfiles} ${newfiles} | /usr/bin/tail +3 | /usr/bin/grep "^\+" | /usr/bin/sed 's|^+||' > ${makefiles}

/bin/cat ${lostfiles} ${makefiles} | /usr/bin/sort +2 | /usr/bin/uniq -u +2 > ${allfiles}
if [ -s ${allfiles} ] ; then
    /bin/echo 変更されたファイル
    /usr/bin/awk '{print $2}' ${allfiles} | /usr/bin/sort | /usr/bin/uniq
    /bin/echo
fi

/usr/bin/sort ${allfiles} ${lostfiles} | /usr/bin/uniq -d | /usr/bin/awk '{print $2" "$1}' > ${lostoutput}
if [ -s ${lostoutput} ] ; then
    /bin/echo 無くなったファイル
    /bin/cat ${lostoutput}
    /bin/echo
fi

/usr/bin/sort ${allfiles} ${makefiles} | /usr/bin/uniq -d | /usr/bin/awk '{print $2" "$1}' > ${makeoutput}
if [ -s ${makeoutput} ] ; then
    /bin/echo 増えたファイル
    /bin/cat ${makeoutput}
    /bin/echo
fi

cleanExit 0

/usr/local/bin/DELETESUM.sh

#!/bin/sh
#
# Web data tamper monitoring script
# 2016/01/15 by JE3KMZ
#

NOW=`/usr/bin/env TZ=JST-09 /bin/date -v-10M +'%Y%m%d%H%M'`
OLD=`/usr/bin/env TZ=JST-09 /bin/date -v-40M +'%Y%m%d%H%M'`

DATANOW=/var/log/tamperingdetection/${NOW}-datadir.sum
CGINOW=/var/log/tamperingdetection/${NOW}-cgidir.sum
DATAOLD=/var/log/tamperingdetection/${OLD}-datadir.sum
CGIOLD=/var/log/tamperingdetection/${OLD}-cgidir.sum

( /usr/bin/diff -q ${DATAOLD} ${DATANOW} 1> /dev/null && /bin/rm -f ${DATAOLD} )
( /usr/bin/diff -q ${CGIOLD} ${CGINOW} 1> /dev/null && /bin/rm -f ${CGIOLD} )

exit 0

/usr/local/bin/LOGROTATE.sh

#!/bin/sh
#
# Web data tamper monitoring script
# 2016/01/15 by JE3KMZ
# 2017/05/18 modify JE3KMZ
#

NOW=`/usr/bin/env TZ=JST-09 /bin/date -v-1d +'%Y%m%d'`
OLD=`/usr/bin/env TZ=JST-09 /bin/date -v-2d +'%Y%m%d'`
LASTMONTH=`/usr/bin/env TZ=JST-09 /bin/date -v-1m +'%Y%m'`
LASTMONTHDAY=`/usr/bin/env TZ=JST-09 /bin/date -v-1m -v-1d +'%Y%m%d'`
LASTYEAR=`/usr/bin/env TZ=JST-09 /bin/date -v-1m +'%Y'`

cd /var/log/tamperingdetection && /usr/bin/bsdtar \
    --create \
    --xz \
    --numeric-owner \
    --options=xz:compression-level=9 \
    --file /var/log/tamperingdetection/${NOW}.tar.xz ${NOW}*.sum
/bin/rm -f /var/log/tamperingdetection/${OLD}*.sum

cd /var/log/tamperingdetection && /usr/bin/bsdtar \
    --create \
    --xz \
    --numeric-owner \
    --options=xz:compression-level=9 \
    --file ${LASTMONTH}.tar.xz ${LASTMONTH}??.tar.xz
#/bin/rm -f /var/log/tamperingdetection/${LASTMONTHDAY}.tar.xz

exit 0