Check File integrity with Nessus (on Linux with md5sum and FILE_CHECK)

Objective

  • Monitor file integrity by generating a hash and verify it with Nessus

Generating file hash

You can create a file hash

/opt/nessus/sbin# md5sum nessusd
cec2b4ef8224e341111caf67b72dc6c3 nessusd

To do this recursively on a folder

find /opt/nessus/sbin/ -type f -exec md5sum {} \;
3119c5cd7c2ddfaa24f757e3b1ad3f77 /opt/nessus/sbin/nessus-check-signature
b687179fd4aae7d9c590d437e397d4f3 /opt/nessus/sbin/nessus-service
cec2b4ef8224e341111caf67b72dc6c3 /opt/nessus/sbin/nessusd
31edbbac41b1dbe1a9300ffdec909a73 /opt/nessus/sbin/nessuscli

Nessus Auditfile Check

You can verify the hash of files with Nessus via a Nessus auditfile.
Example:

<custom_item>
 type : FILE_CHECK
 description : "Verify md5 file hash for /opt/nessus/sbin/nessusd"
 file : "/opt/nessus/sbin/nessusd"
 md5 : "cec2b4ef8224e341111caf67b72dc6c3"
</custom_item>

Generating an auditfile for a folder with a bash script

The following bash script will generate an auditfile for the given directory

appdir=/opt/nessus/sbin
exportdir=/root/auditfiles
header='<check_type:"Unix">\r\n\r\n'
footer='</check_type>\r\n'
 
find $appdir -type f -exec md5sum {} \; > $exportdir/hashes.txt
 
printf $header > $exportdir/filehash_checks.audit
 
while read -r hash file; do
 printf '<custom_item>\r\n'
 printf ' type : FILE_CHECK\r\n'
 printf ' description : "Verify md5 file hash for '$file'"\r\n'
 printf ' file : "'$file'"\r\n'
 printf ' md5 : "'$hash'"\r\n'
 printf '</custom_item>\r\n\r\n'
done < $exportdir/hashes.txt >> $exportdir/filehash_checks.audit
 
printf $footer >> $exportdir/filehash_checks.audit