Integrity check

Zimbra installation integrity check

The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.

You can use this script pro-actively by scheduling it in a cron job and store the result to a remote server. Or if you suspect a compromise you can run the script against a snapshot of your Zimbra server (if you have one) and compare it against the result of the script on your running instance.

Integrity check script

As user root create a file /usr/local/sbin/zimbra-checksums with the following content:


dt=`date +'%m-%d-%Y-%T'`

echo "Fetching folders to search.."
/bin/ls -la /opt/zimbra/ | awk '{print $9}' | egrep -v 'backup|log|db|index|store|data|zmstat' | sed '1,3d' > $DIR/CHECKSUMS/zimdir

echo "Creating file list.."
for i in `cat $DIR/CHECKSUMS/zimdir`
find /opt/zimbra/"$i" -mount -type f | egrep -v "/opt/zimbra/backup/|/opt/zimbra/data/|/opt/zimbra/zmstat/" >> $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt
sed -i 's/^/"/ ; s/$/"/' $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt

echo "Calculating checksums.. (This can take time)"

cat $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt | tee -a /tmp/asdf.log | xargs sha1sum  >> $DIR/CHECKSUMS/sha1sum_zimbra_"$HN"_"$dt".log
echo "Done"


Run it as follows:

chmod +x /usr/local/sbin/zimbra-checksums

Comparing the result

The result of the script can be found in the /tmp/CHECKSUMS folder. Example:


Now to compare the result you can do the following:

cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08\:44\:06.log | sort -k2 > /tmp/resultY
cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-10-2022-13\:21\:01.log | sort -k2 > /tmp/resultX
diff -Naur /tmp/resultX /tmp/resultY

The diff command will show any changes in checksums and newly created files.

Jump to: navigation, search