MD5 hash checking

Refer to attached script.

Q1:
Somehow I felt it does not build a base MD5 database (as baseline)
of all files in the server or does it?

Q2:
Can it be run on RHEL 5.x, 6.x & Solaris x86 or some syntax
needs to be modified?

Q3:
Is it CPU & IO intensive?  Will it help reduce the impact on system
load if run with "nohup nice ./script_name > /tmp/a.txt 2>a.err"  ?

Q4:
What's the usual practice after building a baseline of the MD5,
do we run this script daily, weekly or ?

Q5:
If files get modified, say by authorized applications & tools, does
it get flagged out or only those files that are maliciously modified
are flagged?

Any enhancement to the attached is welcome
hashcheck.zip
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
A1) MD5 is not safe. Use SHA2 instead.
A2) take widely used package e.g perl script called rkhunter that does what you need
A3) Do not attmpt to fix before anything is broken
A4) Not using MD5
A5) No way to figure intent of file write.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
rkhunter is packaged by EPEL (fedora) for both RHEL releases and it can be installed easily on solaris
0
serialbandCommented:
There's open source Tripwire http://sourceforge.net/projects/tripwire/
And an alternative that's centrally managed if you're doing more than one server.  http://www.ossec.net/  http://www.splunk.com/
0
gheistCommented:
Mine is least resource consuming. And it extracts checksums from native package manager in addition to own database
0
serialbandCommented:
Not sure what you're talking about gheist.

rkhunter scans for rootkits after the fact.

tripwire and ossec are geared towards IDS.  They're made to watch for changes to existing files.  They're different beasts that do different things.  The original question suggests IDS.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.