Appendice B. A lot of Perls

I was also contacted by Harlan Carvey, who told me about his own implementation of a Tripwire-like system in Perl. Harlan's motives are the same as mine, improving the security of Windows boxes out there. I try to help by writing these text files, he does so by having a rather complete security suite for NT all written in Perl and available on the web at http://patriot.net/~carvdawg/perl.html. Make sure also to read his paper "System Security Administration for NT" presented recently at the Usenix LISA-NT '00 conference, in Seattle, WA. On his pages, you will find numerous links to Perl resources for the NT platform, along with the tools he designed. These tools let you do things like extracting info from the event viewer, collect information through the network, parse log files, and... perform integrity checking just like Tripwire. Notice that these Perl scripts use MD5 encryption for the hash, same as the original Tripwire, which is a stronger algorithm than the CRC-32 used by InstallWatch Pro.

I still didn't have a chance to learn Perl yet, but I plan to do so soon. In the meanwhile, I am unable to comment the scripts, but I will put the code here anyway. I think it is short enough to be self explanatory (2 scripts, filesentry.pl and verify.pl). Be sure to go to http://patriot.net/~carvdawg/perl.html for the other goodies.

#! c:\perl\bin\perl.exe
##############################################################
#
# filesentry.pl
# Generate MD5 checksums on files in the md5_conf file
# (example at end of script)
#
# Use with system files, web pages, etc.  Can also use files
# on mapped drives, but must use complete path.
#
# copyright 1999 H. Carvey
##############################################################
use Digest::MD5;
use File::stat; usage();
# config file
$config = "md5_conf"; # log file for checksums...this is the file that will
# be verified by verify.pl
$log = "md5_log"; open (CONF, "$config") || die "Could not open config file: $!\n";
open (LOG,"> $log") || die "Could not open log file: $!\n"; while () {
  $file = $_;
  chomp $file;
  if (-d $file) {
    print "$file is a directory.  Skipping...\n";
  }
  else {
    if (-e $file) {
      $base = baseline($file);
      $size = stat($file)->size;
      $atime = stat($file)->atime;
      $mtime = stat($file)->mtime;
      $ctime = stat($file)->ctime;
    
      print "$file $base $size $atime $mtime $ctime\n";
      print LOG "$file $base $size $atime $mtime $ctime\n";
    }
    else {
      print "$file does not exist.\n";
    }
  }  
} close(CONF);
close(LOG); sub baseline {
  my ($file) = @_;
  open (FILE, $file) or die "Can't open $file: $!\n";
  binmode(FILE);
  $digest = Digest::MD5->new->addfile(*FILE)->b64digest;
  return $digest;
} sub usage {
  print "FileSeNTry, by H. Carvey\ncopyright 1999 H. Carvey\n\n"
} # Example md5_conf file...remove comment delimiters (#)
# File must contain only the filenames and paths
# No spaces
#
# c:\io.sys
# c:\config.sys
# c:\autoexec.bat
# c:\winnt\system32\fpnwclnt.dll
-------------
#! c:\perl\bin\perl.exe
##############################################################
#
# verify.pl
# Verify MD5 checksums on files in the md5_logf file
# (generated by filesentry.pl)
#
# Use with system files, web pages, etc.  Can also use files
# on mapped drives, but must use complete path.
#
# copyright 1999 H. Carvey
############################################################## use Digest::MD5; usage(); $log = "md5_log"; print "Verifying data...\n";
open (LOG,"$log") || die "Could not open log file: $!\n"; while () {
  ($f,$md) = split();
  if (verify($f,$md)) {
    print "$f verified.\n";
  }
  else {
    print "$f not verified.\n";
  }
} sub baseline {
  my ($file) = @_;
  open (FILE, $file) or die "Can't open '$file': $!\n";
  binmode(FILE);
  $digest = Digest::MD5->new->addfile(*FILE)->b64digest;
  return $digest;
} sub verify {
  my ($file,$md5) = @_;
  if (baseline($file) eq $md5) { return 1;}
  else { return 0;}
} sub usage {
  print "FileSeNTry -> verify, by H. Carvey\ncopyright 1998 H. Carvey\n"
}