18.2 Backing Up System Files
In addition to performing routine
backups of your entire computer system, you may wish to make separate
backup copies of system-critical files on a regular basis. These
backups can serve several functions:
They can help you quickly recover if a vital configuration file is
unexpectedly erased or modified.
They can help you detect unauthorized modifications to critical
files, as well as monitor legitimate modifications.
They make installing a new version of your operating system
dramatically easier (especially if you do not wish to use your
vendor's "upgrade"
facility) by isolating all site-dependent configuration files in a
single place.
Ideally, you should back up every file that contains vital system
configuration or account information.
Setting up an automatic system for backing up your system files is
not difficult. You might, for instance, simply have a shell script
that makes a tar file of the
/etc directory on a regular basis. Or you might
have a more sophisticated system, in which a particular workstation
gathers all of the configuration files for every computer on a
network, archives them in a directory, and sends you email each day
that describes any modifications. The choice is up to you and your
needs.
18.2.1 Which Files to Back Up?
If you are constructing a system for backing up system files on a
regular basis, you should carefully consider which files you wish to
archive and what you want to do with them.
By comparing a copy of the password file with
/etc/passwd, for example, you can quickly
discover whether a new user has been added to the system. But it is
also important to check other files. For example, if an intruder can
modify the /etc/rc file, the commands he inserts
will be executed automatically the next time the system is booted.
Modifying /usr/lib/crontab can have similar
results. (Chapter 23 describes what you should look
for in these files.)
Some files that you may wish to copy are listed in Table 18-1.
Table 18-1. Critical system files that you should frequently back up
/etc/passwd
|
New accounts
|
/etc/shadow
|
Accounts with no passwords
|
/etc/group
|
New groups
|
/etc/rc*, /etc/init.d (some
systems)
|
Changes in the system boot commands
|
/etc/ttys/etc/ttytab/etc/inittab
|
Configuration changes in terminals
|
/usr/lib/crontab/usr/spool/cron/crontabs//etc/crontab/etc/cron.*
|
New commands set to run on a regular basis
|
/usr/lib/aliases/etc/aliases/etc/mail/aliases
|
Changes in mail delivery (especially email addresses that are
redirected to programs.)
|
/etc/exports (BSD)
/etc/dfs/dfstab (SVR4)
|
Changes in your NFS filesystem security
|
/etc/netgroups
|
Changes in network groups
|
/etc/fstab (BSD)
/etc/vfstab (SVR4)
|
Changes in mounting options
|
/etc/inetd.conf
/etc/xinetd.d/*
|
Changes in network daemons
|
/etc/pam.conf,
/etc/pam.d/*
|
Changes in PAM that control security for various programs
|
/etc/*.conf
|
Changes to other configuration files
|
18.2.2 Building an Automatic Backup System
For added convenience, keep the backups of all
of the system-critical files in a single directory. Make certain that
the directory isn't readable by any user other than
root, and make sure it has a nonobvious
name—after all, you want the files to remain hidden in the
event that an intruder breaks into your computer and becomes the
superuser! If you use a public key encryption system, you can
configure your backup system so that the files are encrypted with a
public key so that they can be decrypted only with your specially
authorized private key. If you
have a local area network, you may wish to keep the copies of the
critical files on a different computer. Another approach is to store
these files on a removable medium, such as a writable optical drive,
that can be mounted when necessary.
You can use tar or
cpio to store all of the files that you back
up in a single snapshot. Alternatively, you can also use
RCS (Revision Control System), CVS
(Concurrent Versions System) or SCCS (Source Code Control System) to
archive these files and keep a revision history.
Keeping printed
paper copies of your most important
configuration files is a good idea. If something happens to the
online versions, you can always refer to the paper ones. Paper
records are especially important if your system has crashed in a
severe and nontrivial fashion because in these circumstances you may
not be able to recover your electronic versions. Finally, paper
printouts can prove invaluable in the event that your system has been
penetrated by nefarious intruders because paper is a physical record.
Even the most skilled network intruders cannot use a captured account
to alter a printout in a locked desk drawer or other safe location.
|
A single shell script can automate the checking described above. This
script compares copies of specified files with master copies and
prints any differences. The following sample script keeps two copies
of several critical files and reports the differences. Modify it as
appropriate for your own site.
#!/bin/sh
MANAGER=/u/sysadm
FILES="/etc/passwd /etc/ttys /etc/rc /etc/crontab"
cd $MANAGER/private
for FILE in $FILES
do
/bin/echo $FILE
BFILE='basename $FILE'
/usr/bin/diff $BFILE $FILE
/bin/mv $BFILE $BFILE.bak
/bin/cp $FILE $BFILE
done
You can use cron to automate
running this daily shell script as follows:
0 0 * * * root /bin/sh /u/sysadm/private/daily | mail -s "daily output" sysadm
The nightly security script that is run with FreeBSD automates this
process. Similar approaches are available on other Unix operating
systems.
|
One disadvantage of using an automated script to check your system is
that you run the risk of an intruder discovering it and circumventing
it. Nonstandard entries in /usr/lib/crontab are
prime candidates for further investigation by experienced system
crackers.
|
|
See Chapter 20 for additional information about
system checking.
|