A few things... use sha256sum or sha1sum to see if the contents change.scrubudu wrote: I'm searching for a exhaustive url that list every binary file that should be in zimbra, per version : specially binary files : does it exists ? (like zmbackup that is born with 8.7 --> Disaster recovery Tech Zimbra Post )..
Would be ideal if list of access made by each binary about r, w, or x too, in /opt/zimbra, and in other filesystem too ( /tmp etc... )
Code: Select all
% sha1sum /tmp/somefile
da39a3ee5e6b4b0d3255bfef95601890afd80709 /tmp/somefile
% echo hello >> /tmp/somefile
% sha1sum /tmp/somefile
f572d396fae9206628714fb2ce00f72e94f2258f /tmp/somefile
Code: Select all
# su - zimbra
% find /opt/zimbra -type f -exec sha1sum {} \; | head -5
9e1146751bc76bb2a96fa663768e7f4c03c96e4e /opt/zimbra/jetty-distribution-7.6.2.z4/webapps/zimlet/WEB-INF/web.xml
21082b6caa310fc9faf60997d8c071ea48294d95 /opt/zimbra/jetty-distribution-7.6.2.z4/etc/jetty.properties
e4b8f7148fdd1483d2d26591ce64d7d96d26bddd /opt/zimbra/jetty-distribution-7.6.2.z4/etc/mailboxd.der
...
install a pristine zimbra + patches on some VM but don't worry about the data, etc. You are after the patched binaries, etc.
run aide against /opt/zimbra to generate a database of signatures for each file and directory, etc.
copy the resulting aide database to your production machine
verify the production system against that list of signatures (permissions + sha256) which will spit out a list of changes
Here is something quick and dirty to give you an idea how the configuration file looks
Code: Select all
#just sha256 + permission + user + group + number links
CONTENT = sha256+p+n+u+g
/opt/zimbra CONTENT
!/opt/zimbra/index
!/opt/zimbra/redolog
!/opt/zimbra/zmstat
!/opt/zimbra/data
!/opt/zimbra/zmstat
!/opt/zimbra/store
!/opt/zimbra/backup
!/opt/zimbra/db
!/opt/zimbra/log
The other way is to look at the packages to get a list and use the package manager to help you( I don't know what OS you have so I show centos/RHEL). You are probably interested in jetty which is in zimbra-store and you can run these commands as normal user (don't need to be root or zimbra) so you can't mess anything up.
Code: Select all
% rpm -q zimbra-store
zimbra-store-8.7.11_GA_1854.RHEL6_64-20170531151956.x86_64
% rpm -ql zimbra-store | grep jetty |head -5
/opt/zimbra/jetty-distribution-9.3.5.v20151012
/opt/zimbra/jetty-distribution-9.3.5.v20151012/README.TXT
/opt/zimbra/jetty-distribution-9.3.5.v20151012/VERSION.txt
/opt/zimbra/jetty-distribution-9.3.5.v20151012/bin
/opt/zimbra/jetty-distribution-9.3.5.v20151012/bin/jetty.sh
% rpm -V zimbra-store |head -1
SM5....T. /opt/zimbra/conf/templates/templates/calendar/Appointment.template
Code: Select all
S file Size differs
M Mode differs (includes permissions and file type)
5 digest (formerly MD5 sum) differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T Time differs
P caPabilities differ
the problem with the rpm verify is that subsequent patches, normal install from Zimbra with install.sh, changes like fixperms, etc have changed things a bit as has the normal operations but it is a start if you don't have a aide/tripwire database.
Run a tripwire daily and it will teach you about how your system changes so you know what is normal and what is not... it will teach you what the patches and updates do also.
Having said all that... I need to caution if they obtained root then a determined hacker can hide in places that would make me never trust that server again. At this point in time everyone should have either locked down access to trusted ip's or applied the patches.
HTH,
Jim