#!bin/bash
#功能:根据 md5 校验码,检测文件是否被修改
#作者:liusingbon
#本示例脚本检测的是/etc 目录下所有的 conf 结尾的文件,根据实际情况,您可以修改为其他目录或文件
#在目标数据没有被修改时执行一次脚本,当怀疑数据被人篡改,再执行一次;将两次执行的结果做对比,MD5 码发生改变的文件,就是被人篡改的文件
for i in $(ls /etc/*.conf)
do
md5sum "$i" >> /var/log/conf_file.log
done
比如:执行脚本前,先查看下md5校验码,如果怀疑数据被篡改,再执行一次脚本,比对md5校验码是否有变化:
[root@client ~]# cat /var/log/conf_file.log
cb74fedd10be5db16f6ff2353181d58d /etc/chrony.conf
649f5bf7c0c766969e40b54949a06866 /etc/dracut.conf
7ee18e3a79c3f2aba431e5e044dfc37f /etc/e2fsck.conf
72daece0832454d1e46fa1dead8590da /etc/GeoIP.conf
4eb63731c9f5e30903ac4fc07a7fe3d6 /etc/host.conf
b8d3e9f412e116fb93b9047f5fef9f37 /etc/krb5.conf
cb878ee72257736aafffff720130ca9c /etc/ld.so.conf
121c7f429126e65574656fb0fbc37e78 /etc/lftp.conf
cdc703f9d27f0d980271a9e95d0f18b2 /etc/libaudit.conf
6bd2bb550f448cb81c6f0cbf806b936f /etc/libuser.conf
164aba1ef1298affaa58761647f2ceba /etc/locale.conf
4b32bbe6d2d20a1f3150b0fb3918ae54 /etc/logrotate.conf
ee665f08e63e1942b56ada46d25b9e3f /etc/man_db.conf
b3fa4684455e14b66015af02a24d7c96 /etc/mke2fs.conf
643b68a0994aa69649e5b3f13dcf5635 /etc/nsswitch.conf
e5ef4c8f4837c1d833cf644100abe369 /etc/resolv.conf
c63fccb45c0dcbbbe17d0f4bdba920ec /etc/rsyncd.conf
0dd94a0c285fb32f41fa5b226e83c26b /etc/rsyslog.conf
8f42efd9d1efe717f27267e6a4286453 /etc/sestatus.conf
5d796b9d28e62cecda9df8ffbfb2f962 /etc/sudo.conf
60eac7835f1d36c4ffdcb401a84c3e6c /etc/sudo-ldap.conf
324c073ebf5a4811bf7fd5610f170350 /etc/sysctl.conf
839ba642d4de3d2115db7170bd0b6cba /etc/tcsd.conf
2a6ece5145eb8d37d2ea2f5811ff9351 /etc/updatedb.conf
bde42c1da4093344b653743c5cdb463d /etc/vconsole.conf
a8082a894410bece6b9290e8116a9e79 /etc/whois.conf
a7dc0d7b8902e9c8c096c93eb431d19e /etc/yum.conf