A new File Integrity Control tool for remote logs that use hashdeep(1) for generated a two level set of hashes and gpg(1) to sign the second level hashes. More than one user can use gpg(1) sign and verify.

The tool is implemented with a pair of idempotent Makefile for respectively the remote (hashdeep(1)) and the local (gpg(1)) part of the task.

The hashdeep_space_remote_log.mk makefile using hashdeep(1) is installed by Makefile (make init) on $(loghost) (to be defined in loghost.mk).

Once installed hashdeep_space_remote_log.mk will be invoked by cron with hash target.

The hash target invoke hashdeep(1) for each log file of each logged node for the previous day and store the file of known hashes in $node/YY/MM/DD/hashdeep.txt (so that the file of known hashes will be there when the day become a tgz), then invoked again hashdeep(1) upon all the new hashdeep.txt and store the global file of known hashes in .hashdeep at the root of remote logs file tree.

One can then invoke hashdeep_space_remote_log.mk with target check.

The check target will invoke hashdeep(1) in audit mode for each file of known hashes of the previous day (either failing or dropping a .audit file), then invoke again hashdeep(1) in audit mode upon all the the global file of known hashes (but don't make a .audit file, thus hashdeep_space_remote_log.mk check will always at least run an audit of the global file of known hashes).

These target are idempotent and we never want to recompute the files of known hashes, but we may want to replay audit mode, so the clean target will remove all the .audit file of the previous day.

All three targets (hash, check and clean) can be invoke for all available anterior day by using n argument to tell use the current day - n (e.g. like make check n=3 to generate and check all hashes (because check depends on hash) from three days ago logs). To check again a previous day whose hashes already exists use make clean check n=3.

Currently we keep 7 days available for this tool. Previous day are archived as a tgz file. We should extend the tool to allow check of any previous day.

The same Makefile used to install hashdeep_space_remote_log.mk on $(loghost) is also used to make gpg(1) signatures of all global files of known hashes.

First we copy all global file of known hashes for all days from $(loghost) into .hasdeep (which is in .gitignore) and all previously generated signatures into .sig-$(USER) (which is also in .gitignore) so that different user may sign the files of known hashes. This made via make get.

Then we generate all the missing signatures for all files in .hasdeep and the generated signatures goes into .hasdeep. This is made via make sig (via gpg -ba to generate detached ascii signature) .

Then we push back all generated signatures on $(loghost) into .sig-$(USER) at the root of remote logs file tree.

We can then verify all the files with their corresponding signatures using make chk (via gpg --verify $signature $hashes).

All these steps are made via make main

As a extra step we can use make get again to get back latest generated signatures and we then will be able to compare all remotes signatures with local ones via make cmp (or make full to play the full targets stack)

An alternative way would be to store signatures on a repository instead on the remote node.

A evolution will be to limit the number of days to verify.