https://wiki.zimbra.com/index.php?title=Integrity_check&feed=atom&action=historyIntegrity check - Revision history2024-03-28T14:53:37ZRevision history for this page on the wikiMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Integrity_check&diff=69235&oldid=prevBarry de Graaff at 07:27, 11 October 20222022-10-11T07:27:23Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:27, 11 October 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">== Zimbra installation integrity check ==</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
</table>Barry de Graaffhttps://wiki.zimbra.com/index.php?title=Integrity_check&diff=69234&oldid=prevBarry de Graaff: Created page with "The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify uninten..."2022-10-11T07:26:59Z<p>Created page with "The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify uninten..."</p>
<p><b>New page</b></p><div>The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.<br />
<br />
You can use this script pro-actively by scheduling it in a cron job and store the result to a remote server. Or if you suspect a compromise you can run the script against a snapshot of your Zimbra server (if you have one) and compare it against the result of the script on your running instance.<br />
<br />
= Integrity check script =<br />
<br />
As user <code>root</code> create a file <code>/usr/local/sbin/zimbra-checksums</code> with the following content:<br />
<br />
<pre>#!/bin/bash<br />
<br />
DIR='/tmp'<br />
mkdir $DIR/CHECKSUMS<br />
dt=`date +'%m-%d-%Y-%T'`<br />
HN=`hostname`<br />
<br />
echo &quot;Fetching folders to search..&quot;<br />
/bin/ls -la /opt/zimbra/ | awk '{print $9}' | egrep -v 'backup|log|db|index|store|data|zmstat' | sed '1,3d' &gt; $DIR/CHECKSUMS/zimdir<br />
<br />
echo &quot;Creating file list..&quot;<br />
for i in `cat $DIR/CHECKSUMS/zimdir`<br />
do<br />
find /opt/zimbra/&quot;$i&quot; -mount -type f | egrep -v &quot;/opt/zimbra/backup/|/opt/zimbra/data/|/opt/zimbra/zmstat/&quot; &gt;&gt; $DIR/CHECKSUMS/sha1files_&quot;$HN&quot;_&quot;$dt&quot;.txt<br />
done<br />
sed -i 's/^/&quot;/ ; s/$/&quot;/' $DIR/CHECKSUMS/sha1files_&quot;$HN&quot;_&quot;$dt&quot;.txt<br />
<br />
echo &quot;Calculating checksums.. (This can take time)&quot;<br />
<br />
cat $DIR/CHECKSUMS/sha1files_&quot;$HN&quot;_&quot;$dt&quot;.txt | tee -a /tmp/asdf.log | xargs sha1sum &gt;&gt; $DIR/CHECKSUMS/sha1sum_zimbra_&quot;$HN&quot;_&quot;$dt&quot;.log<br />
echo &quot;Done&quot;<br />
<br />
exit</pre><br />
Run it as follows:<br />
<br />
<pre>chmod +x /usr/local/sbin/zimbra-checksums<br />
/usr/local/sbin/zimbra-checksums</pre><br />
= Comparing the result =<br />
<br />
The result of the script can be found in the <code>/tmp/CHECKSUMS</code> folder. Example:<br />
<br />
<pre>/tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08:44:06.log</pre><br />
Now to compare the result you can do the following:<br />
<br />
<pre>cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08\:44\:06.log | sort -k2 &gt; /tmp/resultY<br />
cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-10-2022-13\:21\:01.log | sort -k2 &gt; /tmp/resultX<br />
diff -Naur /tmp/resultX /tmp/resultY</pre><br />
The diff command will show any changes in checksums and newly created files.</div>Barry de Graaff