In addition to performing routine backups of your entire computer system, you may wish to make separate backup copies of system-critical files on a regular basis. These backups can serve several functions:
Ideally, you should back up every file that contains vital system configuration or account information.
Setting-up an automatic system for backing up your system files is not difficult. You might, for instance, simply have a shell script that copies the files /etc/passwd and /usr/etc/aliases into a specially designated "backup directory" on a regular basis. Or you might have a more sophisticated system, in which a particular workstation gathers together all of the configuration files for every computer on a network, archives them in a directory, and sends you email each day that describes any modifications. The choice is up to you and your needs.
By comparing a copy of the password file with /etc/passwd , for example, you can quickly discover if a new user has been added to the system. But it is also important to check other files. For example, if an intruder can modify the /etc/rc file, the commands he inserts will be executed automatically the next time the system is booted. Modifying /usr/lib/crontab can have similar results. ( Chapter 11, Protecting Against Programmed Threats , describes what you should look for in these files.)
Some files that you may wish to copy are listed in Table 7.1 .
For added convenience, keep the backups of all of the system-critical files in a single directory. Make certain the directory isn't readable by any user other than root , and make sure it has a nonobvious name - after all, you want the files to remain hidden in the event that an intruder breaks into your computer and becomes the superuser! If you have a local area network, you may wish to keep the copies of the critical files on a different computer. An even better approach is to store these files on a removable medium such as a floppy disk or a cartridge disk that can be mounted when necessary.
You can use tar or cpio to store all of the files that you back up in a single snapshot. Alternatively, you can also use RCS (Revision Control System) or SCCS (Source Code Control System) to archive these files and keep a revision history.
A single shell script can automate the checking described above. This script compares copies of specified files with master copies and prints any differences. The sample script included below keeps two copies of several critical files and reports the differences. Modify it as appropriate for your own site.
#!/bin/sh MANAGER=/u/sysadm FILES="/etc/passwd /etc/group /usr/lib/aliases\ /etc/rc* /etc/netgroup /etc/fstab /etc/exports\ /usr/lib/crontab" cd $MANAGER/private for FILE in $FILES do /bin/echo $FILE BFILE=`basename $FILE` /usr/bin/diff $BFILE $FILE /bin/mv $BFILE $BFILE.bak /bin/cp $FILE $BFILE done
0 0 * * * root /bin/sh /u/sysadm/private/daily \ | mail -s "daily output" sysadm
See Chapter 9, Integrity Management , for additional information about system checking.