Integrity check
The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.
You can use this script pro-actively by scheduling it in a cron job and store the result to a remote server. Or if you suspect a compromise you can run the script against a snapshot of your Zimbra server (if you have one) and compare it against the result of the script on your running instance.
Integrity check script
As user root
create a file /usr/local/sbin/zimbra-checksums
with the following content:
#!/bin/bash DIR='/tmp' mkdir $DIR/CHECKSUMS dt=`date +'%m-%d-%Y-%T'` HN=`hostname` echo "Fetching folders to search.." /bin/ls -la /opt/zimbra/ | awk '{print $9}' | egrep -v 'backup|log|db|index|store|data|zmstat' | sed '1,3d' > $DIR/CHECKSUMS/zimdir echo "Creating file list.." for i in `cat $DIR/CHECKSUMS/zimdir` do find /opt/zimbra/"$i" -mount -type f | egrep -v "/opt/zimbra/backup/|/opt/zimbra/data/|/opt/zimbra/zmstat/" >> $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt done sed -i 's/^/"/ ; s/$/"/' $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt echo "Calculating checksums.. (This can take time)" cat $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt | tee -a /tmp/asdf.log | xargs sha1sum >> $DIR/CHECKSUMS/sha1sum_zimbra_"$HN"_"$dt".log echo "Done" exit
Run it as follows:
chmod +x /usr/local/sbin/zimbra-checksums /usr/local/sbin/zimbra-checksums
Comparing the result
The result of the script can be found in the /tmp/CHECKSUMS
folder. Example:
/tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08:44:06.log
Now to compare the result you can do the following:
cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08\:44\:06.log | sort -k2 > /tmp/resultY cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-10-2022-13\:21\:01.log | sort -k2 > /tmp/resultX diff -Naur /tmp/resultX /tmp/resultY
The diff command will show any changes in checksums and newly created files.