Saki is a poor man's Tripwire on steriods which offers integrity protection via three different checksums: RIPEMD-160, SHA1, and MD5 Due to collisions caused in MD5 and SHA1, I thought it would be beneficial to have a tripwire-like program that would be someone's worst nightmare should they even have the technical know-how to defeat MD5 or SHA1. They'd have to go through hell and beyond to change the checksums. Saki is still a work in progress yet functional right now. It began as a one liner I had to check against something I already had on file, sure I could have done it in perl, ruby, etc., etc., who cares, it works and does what I wanted it to do. When I wrote it, I wrote it to checksum all of the files in my $PATH. This was all I was concerned with at the time. Why not Samhain? Samhain is a good program. Takes forever to run, but it is a good program. But there are one too many requirements with Samhain though and other programs like it: Zlib, thislib, thatlib... What about if I were on a barebones system and I couldn't access any of these? All saki is using are raw commands with the exception of OpenSSL.
Samhain took about 3 minutes just to compile, another 3-4 minutes to configure, then about an hour to run through my system and do anything... Saki? Two minutes 3625 files checksummed and archived.
Machine gets compromised in a colo and is taken offline. You don't want to bring that machine online for whatever reason, and you need information now and fast. What would Samhain or other programs do for you if you haven't installed them already? If installed, great, but with a machine offline for whatever reason, what's the next best thing... Straightforward system commands. This was written under the impression it would be installed or run on a server. You can take the database created and send it to any machine for even further intergrity against someone who gains root access. Copy the db information over and save it on another machine for comparison checking. Myself, I have both the db and a good old text file I can diff against. Both reside off of the machine the initial script ran on. Translation? Go ahead and compromise the machine. I will know what's been compromised. If you're that good to break all three hashes, then email me and I will FedEx you the physical machine at that point. Saki is really a baseline idea meant for someone with a decent knowledge of Linux or shell scripting, someone who knows what they're doing (unlike me) who can modify it to their needs, add cron entries, etc.
downloadSAKI db information...[root@linuxbox ghetto]# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 134 to server version: 5.0.27 mysql> use saki Database changed mysql> show tables; +---------------------+ | Tables_in_saki | +---------------------+ | checks | +---------------------+ 1 row in set (0.00 sec) mysql> describe checks; +---------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------+--------------+------+-----+---------+-------+ | program | varchar(100) | NO | | | | | rmd160 | varchar(100) | NO | | | | | sha1 | varchar(100) | NO | | | | | md5 | varchar(100) | NO | | | | +---------+--------------+------+-----+---------+-------+ 4 rows in set (0.00 sec) mysql> select * from checks where program ='/bin/chmod' ; +------------+------------------------------------------+------------------------------------------+----------------------------------+ | program | rmd160 | sha1 | md5 | +------------+------------------------------------------+------------------------------------------+----------------------------------+ | /bin/chmod | 17b8a660ff14b166b55aa6ae09bb7495a7a5afb7 | c824f7682ee57c1e4ef1dec7316538fb025c4e29 | afe70733cd26ae20322cad9594586f4b | +------------+------------------------------------------+------------------------------------------+----------------------------------+ 1 row in set (0.00 sec) mysql> |