Parachute In, Helicopter Out

by J. Edward Durrett

The security expert, forensics master and Unix guru Hal Pomeranz created a method of parachuting in a set of tools
to perform file integrity checks and then extracting the information, as well as the tools, to perform analysis on
another system. This is advantageous for both performing investigations and general intrusion detection checks.
There were a couple of things he mentioned about the script he wrote that he thought could be done better. I liked
the idea so much I decided to rewrite the script to address those issues and enhance the script to serve my
purposes as well.

Hal thought that running the script without actually doing anything for testing and debugging purposes. I added a
dry-run command line option which achieves this. As the name implies, it will just show you what it is going to do
without actually doing it.

The other thing Hal pointed out as a potential problem was that in order for this script to work it has to be run
as root and it has to remove files. A typo in the configuration file could easily erase an important part - or
the whole - file system. Of course, that would not be good so I added a safe mode option, where the script
tells you exactly what it is going to do and asks you to confirm each step. It is the safe-mode command line
switch.

Now, the safe-mode option is also where I thought the script could be improved. I made the output and the
descriptions of what was happening as clear as possible so someone who is familiar with an Unix cli but does not
have expert knowledge can see what is going on. So the script in a way becomes a teaching tool. It also allows
someone with less experience to perform the task of setting it up.

There is also a verbose option I added, which, like the name implies, gives a lot more information, mainly shell
debugging output. The silent option is meant to be run from cron once the script has been tested and is working
properly.

I changed the structure quite a bit from the original, mainly by moving all the action into functions at the top.
This is of course more efficient than repeating the code in each section. The added advantage here is that this
script can be used as a template for performing other complex tasks in the same parachuting manner. Namely, with
binaries/scripts you know are good.

Script is written for the Korn Shell (ksh). Since Hal's original script was in ksh and the supporting scripts
are too, I kept it that way. It won't work properly sh or bash without changes. That is easy enough to do with
some trivial sed magic. Please contact me if you would like to have
that done.

The script that I wrote is posted on Hal's website here:

http://deer-run.com/~hal/aide/scripts/check-JED

The parent directory contains all the supporting scripts and such.







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.