fugu Posted February 28, 2016 Share Posted February 28, 2016 With whole disk encryption there is a small part of the drive thats unencrypted, that's needed to boot the computer, I wrote this script to keep tabs on those important files, and look for changes. It hashes new boot files and stores a copy of them within the script itself in an sqlite database, and also looks for changes in those files over time. The file can get to be 100M+ if you have a lot of boot files, so forewarned. #!/bin/bash EOS=2 while [ 1 ]; do if [ -n "$(cat $0 | head -n $EOS | tail -n 1 | grep '^###########################################################$')" ]; then break; fi EOS=$(($EOS+1)) done SQLITEDB=$(tempfile) SCRIPTFILE=$(tempfile) trap 'rm -f '$SQLITEDB' '$SCRIPTFILE EXIT tail -n +$(($EOS+1)) $0 | base64 -d > $SQLITEDB head -n $EOS $0 > $SCRIPTFILE if [ -z "$1" ]; then echo $EOS sqlite3 $SQLITEDB "CREATE TABLE IF NOT EXISTS hashes(id INTEGER PRIMARY KEY, filename TEXT UNIQUE NOT NULL, md5 TEXT, sha1 TEXT, sha256 TEXT);" sqlite3 $SQLITEDB "CREATE TABLE IF NOT EXISTS contents(id INTEGER, subindex INTEGER, data TEXT);" for i in /boot/initrd.img-*-generic; do if [ -n "$(echo "$i" | grep '/boot/initrd\.img-[0-9]\+\.[0-9]\+\.[0-9]\+-[0-9]\+-generic')" ]; then filename_already_exists="$(sqlite3 $SQLITEDB "SELECT count(filename) FROM hashes WHERE filename = '$i';")" if [ "$filename_already_exists" = "0" ]; then #NEW echo -e "\e[34;1mNEW FILE $i\e[0m" MD5=$(md5sum "$i" | cut -d\ -f1) SHA1=$(sha1sum "$i" | cut -d\ -f1) SHA256=$(sha256sum "$i" | cut -d\ -f1) sqlite3 $SQLITEDB 'INSERT INTO hashes (filename, md5, sha1, sha256) VALUES ("'"$i"'", "'"$MD5"'", "'"$SHA1"'", "'"$SHA256"'");' echo -e "\e[34;1madded hashes...\e[0m" id=$(sqlite3 $SQLITEDB 'SELECT id FROM hashes WHERE filename="'$i'";') echo "id=$id" DATA="$(cat "$i" | gzip -9 | base64 | tr -d '\n' | sed 's/\(.\{16384\}.\{16384\}\)/\1\n/g')" echo -e "\e[34;1mbinary data formated, adding to sqlite db...\e[0m" count=0 for singlerow in $DATA; do sqlite3 $SQLITEDB 'insert into contents (id, subindex, data) VALUES ("'$id'", "'$count'", "'$singlerow'");' count=$(($count+1)) done echo -e "\e[34;1m[+] $i HAS BEEN ADDED TO THE DATABASE\e[0m" elif [ "$filename_already_exists" = "1" ]; then #EXISTS MD5=$(md5sum "$i" | cut -d\ -f1) SHA1=$(sha1sum "$i" | cut -d\ -f1) SHA256=$(sha256sum "$i" | cut -d\ -f1) verify="$(sqlite3 $SQLITEDB "SELECT count(filename) FROM hashes WHERE filename = '$i' AND md5 = '$MD5' AND sha1 = '$SHA1' AND sha256 = '$SHA256';")" if [ "$verify" = "1" ]; then echo -e "\e[32;1m$i HAS NOT CHANGED\e[0m" elif [ "$verify" = "0" ]; then echo -e "\e[31;1m$i HAS CHANGED\e[0m" else echo "ERROR PROCESSING $i" 1>&2 exit 1 fi else echo "Error: database did not query correctly" 1>&2 exit 1 fi fi done else sqlite3 $SQLITEDB "$1" fi cat $SCRIPTFILE > $0 cat $SQLITEDB | base64 >> $0 exit 0; ########################################################### Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.