If you have very little requirements, you can call it IDS (Intrusion Detection System), but it is not an IDS. Zibu is a small tool, which allows to cyclically compare access permissions and checksums of files provided by user, with database generated at first run (to be exact, generated with --init or --update mode). But it's main feature, is restoring valid access permissions, and/or executing your commands when checksums are invalid.
Because all values are contained in one big XML file, it's easy to modify it by hand if it's necessary.
Zibu doesn't implement any type of configuration file. The only way to provide a set of files, is to redirect it to Zibu's standard input. Zibu recognizes comments, and empty lines, so it's possible to write nice, and readable list of files, like for example zibu.list.
Screenshot: zibu.png
Linux/BSD (or maybe other Unix-like OS), libxml2, libgcrypt (On Debian Lenny it's libgcrypt11-dev and libxml2-dev)
Just type:
$ make
When you are in Zibu's directory.
First, you need to create database. For example, you would like to protect files: /usr/bin/ssh, /usr/bin/scp, /usr/bin/valgrind, /usr/bin/g++. Additionally, you need to know, when file /usr/sbin/logcheck is changed (Because you have very bad memory).
Save those filenames in one file, e.g /etc/zibu.list. Our /etc/zibu.list:
/usr/bin/ssh /usr/bin/scp /usr/bin/valgrind /usr/bin/g++ /usr/sbin/logcheck@echo "logcheck modified" | mail -s ble me@example.com
To generate database type:
$ cat /etc/zibu.list | zibu --init -o /var/lib/zibu/zibu.xml
Time to check our database:
$ zibu --compare -c
If nothing was changed, zibu will do nothing.
Next, you would like to run zibu cyclically. Here, cron comes with help. Create in /etc/cron.hourly shell script, which will run zibu:
#!/bin/sh /path/to/zibu/zibu --compare -c -r /var/log/zibu.log
That's all! If any of files specified in /etc/zibu.list change in time, Zibu will restore valid access permissions, and send email to you, if /usr/sbin/logcheck will be upgraded.
INIT mode
Gets filenames from stdin and creates database. Saves results in output file. Every comments are saved in report file.
Example:
To create database, type:
$ ./zibu --init
Write some filenames, separated by new lines (ENTER), and type ctrl+d (EOF) to stop.
It's comfortable to redirect output of other command to Zibu. This command will produce to standard output simple database with one file (/bin/bash):
$ echo /bin/bash | ./zibu --init
If you wish, you can save this database to file:
$ echo /bin/bash | ./zibu --init -o zibu.xml
Report is still written to standard output, but you can redirect it too:
$ echo /bin/bash | ./zibu --init -o zibu.xml -r zibu.txt
Another way to provide set of filenames, is to create one text file with those names, and redirect it to zibu's standard input. It's possible to use comments (starts with #). Example file: zibu.list. Don't bother with @ syntax. I will describe it later. Save your filelist as "zibu.list". Now, redirect it to Zibu's stdin:
$ cat zibu.list | ./zibu --init -o zibu.xml -r zibu.txt
As you can see, it's very easy to generate database.
If you wish to calculate checksum of new database, use -g option.
What is that mystical @ ?
It's a nice feature, that allows you to execute a command, when file's checksum don't match. In our zibu.list, when checksum of /usr/sbin/logcheck will change, zibu will invoke command:
echo "Add iconv again" | mailx -s logcheck admin@example.com
to inform you about it. Simpler example:
/bin/bash@echo "/bin/bash modified"
It's important to remember, that you cannot put space before, or after @. I hope that it's clear now.
COMPARE mode
Compares database's content to current file's state and saves summary to report file. Does not create new database.
Example:
To compare database zibu.xml with filesystem, use command:
$ ./zibu --compare -d zibu.xml
Without -d flag, zibu tries to use /var/lib/zibu/zibu.xml as database.
To redirect report to file, type:
$ ./zibu --compare -d zibu.xml -r /var/log/zibu.txt
To additionally restore valid access permissions, owner and/or group, use flag '-c':
$ ./zibu --compare -c -d zibu.xml -r /var/log/zibu.txt
--compare is always optional, because it's default mode.
UPDATE mode
Gets filenames from stdin. Keeps database up to date, adds new files and removes missing files. Saves results in output file. Every comments are saved in report file.
Example:
To update content of database (some files might have new access permissions, or maybe you upgraded your system), type:
$ ./zibu --update -d zibu.xml -o zibu_new.xml
Zibu will ask you to write some new filenames. You can safely type ctrl+d, if you don't want to do that.
As you can see, --update is combined --compare, and --init.
Work modes:
--init
Gets filenames from stdin and creates database. Saves results in
output file. Every comments are saved in report file.
--showdb
Prints database content.
--compare
Compares database's content to current file's state and saves
summary to report file. Does not create new database.
--update
Gets filenames from stdin. Keeps database up to date, adds new files
and removes missing files. Saves results in output file. Every
comments are saved in report file.
--version
Displays Zibu's version.
--help
Displays help.
Additional options:
-g
Generates database checksum and saves it to db.xml.md5.random
-c
Restores correct access permissions (owner, group, mode)
-d <db.xml>
Zibu's database
-o <out.xml>
Output file (by default stdout)
-r <report.txt>
Report file (by default stdout)
Andrzej 'Raziel' Karwala
Tomasz 'urug' Olszewski <tomek[at]tolszewski.pl>