In addition to performing routine backups of your entire computer system, you may wish to make separate backup copies of system-critical files on a regular basis. These backups can serve several functions:
They can help you quickly recover if a vital configuration file is unexpectedly erased or modified.
They can help you detect unauthorized modifications to critical files, as well as monitor legitimate modifications.
They make installing a new version of your operating system dramatically easier (especially if you do not wish to use your vendor's "upgrade" facility) by isolating all site-dependent configuration files in a single place.
Ideally, you should back up every file that contains vital system configuration or account information.
Setting-up an automatic system for backing up your system files is not difficult. You might, for instance, simply have a shell script that copies the files /etc/passwd and /usr/etc/aliases into a specially designated "backup directory" on a regular basis. Or you might have a more sophisticated system, in which a particular workstation gathers together all of the configuration files for every computer on a network, archives them in a directory, and sends you email each day that describes any modifications. The choice is up to you and your needs.
By comparing a copy of the password file with /etc/passwd, for example, you can quickly discover if a new user has been added to the system. But it is also important to check other files. For example, if an intruder can modify the /etc/rc file, the commands he inserts will be executed automatically the next time the system is booted. Modifying /usr/lib/crontab can have similar results. (Chapter 11, Protecting Against Programmed Threats, describes what you should look for in these files.)
Some files that you may wish to copy are listed in Table 7.1.
Things to Look for
Accounts with no passwords
Changes in the system boot sequence
/etc/ttys, /etc/ttytab, or /etc/inittab
Configuration changes in terminals
/usr/lib/crontab, /usr/spool/cron/crontabs/, or /etc/crontab
New commands set to run on a regular basis
Changes in mail delivery (especially email addresses that are redirected to programs.)
/etc/exports (BSD) /etc/dfs/dfstab (SVR4)
Changes in your NFS filesystem security
Changes in network groups
/etc/fstab (BSD) /etc/vfstab (SVR4)
Changes in mounting options
Changes in network daemons
UUCP files (in /usr/lib/uucp or /etc/uucp)
L.sys or USERFILE
Changes in the UUCP system
Systems or Permissions
For added convenience, keep the backups of all of the system-critical files in a single directory. Make certain the directory isn't readable by any user other than root, and make sure it has a nonobvious name - after all, you want the files to remain hidden in the event that an intruder breaks into your computer and becomes the superuser! If you have a local area network, you may wish to keep the copies of the critical files on a different computer. An even better approach is to store these files on a removable medium such as a floppy disk or a cartridge disk that can be mounted when necessary.
You can use tar or cpio to store all of the files that you back up in a single snapshot. Alternatively, you can also use RCS (Revision Control System) or SCCS (Source Code Control System) to archive these files and keep a revision history.
A single shell script can automate the checking described above. This script compares copies of specified files with master copies and prints any differences. The sample script included below keeps two copies of several critical files and reports the differences. Modify it as appropriate for your own site.
#!/bin/sh MANAGER=/u/sysadm FILES="/etc/passwd /etc/group /usr/lib/aliases\ /etc/rc* /etc/netgroup /etc/fstab /etc/exports\ /usr/lib/crontab" cd $MANAGER/private for FILE in $FILES do /bin/echo $FILE BFILE=`basename $FILE` /usr/bin/diff $BFILE $FILE /bin/mv $BFILE $BFILE.bak /bin/cp $FILE $BFILE done
 This example assumes that you have a version of cron that allows you to specify the user under which the cron script should be run.
0 0 * * * root /bin/sh /u/sysadm/private/daily \ | mail -s "daily output" sysadm
NOTE: A significant disadvantage of using an automated script to check your system is that you run the risk that an intruder will discover it and circumvent it. Nonstandard entries in/usr/lib/crontab are prime candidates for further investigations by experienced system crackers.
See Chapter 9, Integrity Management, for additional information about system checking.