Sometimes I want to have a simple way to determine if a file has been changed or has been compromised without the configuration required of a full feature IDS such as AIDE or Tripwire. This technique uses CFV, a free and open-source program written in Python and “has been verified to work on linux, freebsd, openbsd, netbsd, solaris, macosx, and windows.” This program can generate a variety of checksum formats including the SHA1 used in this example.
To create the signature file for a directory’s and sub-directories’ files use the following commands in a Linux or Mac OS X command window:
cd /usr/local/bin cfv -C -rr -f bin.sha1 -t sha1 gpg -sab bin.sha1
To verify the file signatures use the following commands:
cd /usr/local/bin gpg --verify bin.sha1.asc cfv -M -f bin.sha1
The gpg command verifies the integrity of the signature file (bin.sha1). The cfv command then verifies all the files originally tested when creating the signature file.