Saki is a poor man's Tripwire on steriods which offers integrity protection via three different checksums: RIPEMD-160, SHA1, and MD5

Due to collisions caused in MD5 and SHA1, I thought it would be beneficial to have a tripwire-like program that would be someone's worst nightmare should they even have the technical know-how to defeat MD5 or SHA1. They'd have to go through hell and beyond to change the checksums.

Saki is still a work in progress yet functional right now. It began as a one liner I had to check against something I already had on file, sure I could have done it in perl, ruby, etc., etc., who cares, it works and does what I wanted it to do.

When I wrote it, I wrote it to checksum all of the files in my $PATH. This was all I was concerned with at the time.

Why not Samhain? Samhain is a good program. Takes forever to run, but it is a good program. But there are one too many requirements with Samhain though and other programs like it: Zlib, thislib, thatlib... What about if I were on a barebones system and I couldn't access any of these? All saki is using are raw commands with the exception of OpenSSL.

Samhain took about 3 minutes just to compile, another 3-4 minutes to configure, then about an hour to run through my system and do anything... Saki? Two minutes 3625 files checksummed and archived.

HYPOTHETICAL SITUATION

Machine gets compromised in a colo and is taken offline. You don't want to bring that machine online for whatever reason, and you need information now and fast. What would Samhain or other programs do for you if you haven't installed them already? If installed, great, but with a machine offline for whatever reason, what's the next best thing... Straightforward system commands.

This was written under the impression it would be installed or run on a server. You can take the database created and send it to any machine for even further intergrity against someone who gains root access. Copy the db information over and save it on another machine for comparison checking.

Myself, I have both the db and a good old text file I can diff against. Both reside off of the machine the initial script ran on. Translation? Go ahead and compromise the machine. I will know what's been compromised. If you're that good to break all three hashes, then email me and I will FedEx you the physical machine at that point.

Saki is really a baseline idea meant for someone with a decent knowledge of Linux or shell scripting, someone who knows what they're doing (unlike me) who can modify it to their needs, add cron entries, etc.


download

SAKI db information...


[root@linuxbox ghetto]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 134 to server version: 5.0.27

mysql> use saki
Database changed
mysql> show tables;
+---------------------+
|   Tables_in_saki    |
+---------------------+
| checks              |
+---------------------+
1 row in set (0.00 sec)

mysql> describe checks;
+---------+--------------+------+-----+---------+-------+
| Field   | Type         | Null | Key | Default | Extra |
+---------+--------------+------+-----+---------+-------+
| program | varchar(100) | NO   |     |         |       |
| rmd160  | varchar(100) | NO   |     |         |       |
| sha1    | varchar(100) | NO   |     |         |       |
| md5     | varchar(100) | NO   |     |         |       |
+---------+--------------+------+-----+---------+-------+
4 rows in set (0.00 sec)

mysql> select * from checks where program ='/bin/chmod' ;
+------------+------------------------------------------+------------------------------------------+----------------------------------+
| program    | rmd160                                   | sha1                                     | md5                              |
+------------+------------------------------------------+------------------------------------------+----------------------------------+
| /bin/chmod | 17b8a660ff14b166b55aa6ae09bb7495a7a5afb7 | c824f7682ee57c1e4ef1dec7316538fb025c4e29 | afe70733cd26ae20322cad9594586f4b |
+------------+------------------------------------------+------------------------------------------+----------------------------------+
1 row in set (0.00 sec)

mysql>

Timing isn't "THAT" bad... 3625 files in 1 minute 42 seconds... [root@linuxbox ghetto]# date ; ./fab ; date Tue May 8 11:01:15 EDT 2007 Creating DB. You will be prompted for your MySQL password... Enter password: Creating RMD160 Checksums... Creating SHA1 Checksums... Creating MD5 Checksums... Creating Masterlist Creating database You will be prompted for your MySQL password to populate the database... Enter password: Cleaning up Tue May 8 11:02:57 EDT 2007 [root@linuxbox ghetto]# wc -l masterlist.csv 3625 masterlist.csv
NOTES: Saki only checks files listed in your environment's PATH if you need it to check something more specific, either add it to your path or butcher this script on your own. Tested on FC5...