Zimbra installation integrity check

The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.

You can use this script pro-actively by scheduling it in a cron job and store the result to a remote server. Or if you suspect a compromise you can run the script against a snapshot of your Zimbra server (if you have one) and compare it against the result of the script on your running instance.

As user root create a file /usr/local/sbin/zimbra-checksums with the following content:

#!/bin/bash 

DIR='/tmp'
mkdir $DIR/CHECKSUMS
dt=`date +'%m-%d-%Y-%T'`
HN=`hostname`

echo "Fetching folders to search.."
/bin/ls -la /opt/zimbra/ | awk '{print $9}' | egrep -v 'backup|log|db|index|store|data|zmstat' | sed '1,3d' > $DIR/CHECKSUMS/zimdir

echo "Creating file list.."
for i in `cat $DIR/CHECKSUMS/zimdir`
do
find /opt/zimbra/"$i" -mount -type f | egrep -v "/opt/zimbra/backup/|/opt/zimbra/data/|/opt/zimbra/zmstat/" >> $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt
done
sed -i 's/^/"/ ; s/$/"/' $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt

echo "Calculating checksums.. (This can take time)"

cat $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt | tee -a /tmp/asdf.log | xargs sha1sum  >> $DIR/CHECKSUMS/sha1sum_zimbra_"$HN"_"$dt".log
echo "Done"

exit

Run it as follows:

chmod +x /usr/local/sbin/zimbra-checksums
/usr/local/sbin/zimbra-checksums

Comparing the result

The result of the script can be found in the /tmp/CHECKSUMS folder. Example:

/tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08:44:06.log

Now to compare the result you can do the following:

cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08\:44\:06.log | sort -k2 > /tmp/resultY 
cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-10-2022-13\:21\:01.log | sort -k2 > /tmp/resultX 
diff -Naur /tmp/resultX /tmp/resultY

The diff command will show any changes in checksums and newly created files.

Futher reading

, ,

9 Responses to Zimbra installation integrity check

  1. Juliano Morona October 12, 2022 at 6:33 AM #

    A good tip for improving Zimbra security but I prefer to use Tripwire.

  2. Jered October 12, 2022 at 8:12 AM #

    Can you publish a “known good” list of hashes?

    For those of us just learning about the unpatched remote root exploit that’s been active for a month, it would be helpful to identify if our systems are compromised!

    • Avatar photo
      Barry de Graaff October 12, 2022 at 8:18 AM #

      At this time the only way to check is run the script on a snapshot or backup from the past.

    • Gianluca Stella October 17, 2022 at 12:11 AM #

      We cannot be sure the snapshot from the past is clean, that’s why I totally agree with Jered’s request.

      Can you post hashes file from a fresh single-server Zimbra installation? It will help to verify the current situation of the server; next we can “safely” generate hashes of the current instance and use them a “baseline” for further checks.

  3. Thomas Maeder October 13, 2022 at 5:09 AM #

    We have been doing something along these lines for years.

    Sometimes, we detect spontaneous changes in the file permissions, e.g.:

    File: /opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/h/rest.class
    Permissions: rw-rw-r- , rw-r—-

    as if somebody had done chmod g-w,o-r during the previous day.

    Is this something to worry about?

    • Avatar photo
      Barry de Graaff October 16, 2022 at 9:46 PM #

      If permissions changes happen, you will want to investigate what caused the changes. Normally permissions don’t change spontaneously. It can happen if you install a Zimbra patch, OS update or some other action a sys-admin did. Perhaps you are running a cron job to set your custom permissions, and Zimbra patches changed them also, and as a result you see these permission changes. You could install a Zimbra test server and see what the permissions look like without your cron job.

      If you have more doubts, please open a support case, thanks!

  4. Another Solution October 17, 2022 at 4:53 AM #

    There is a standard free utility doing it for specific folders/files in a controlled manner – aide (similar to tripwire) – Advanced Intrusion Detection Environment:

    dnf install aide
    man aide

    Config file: /etc/aide.conf

    # Save the checksums
    aide –init

    # Verify the checksums
    aide –check

  5. Thomas Maeder October 18, 2022 at 2:04 AM #

    Thanks!

    Yesterday, we updated to the latest version, including zimbra-patch-8.8.15.1664798903.p34-2.r7.x86_64 and zimbra-mbox-webclient-war-8.8.15.1664792862-1.r7.x86_64

    This changed the permissions of some files from rw-r—- to rw-rw-r- . From experience, I expect Zimbra to change them back in the near future.

    I have opened a support case.

    NB: AIDE (suggested in another comment) is the tool I refered to when I wrote “something along these lines”.

  6. Cedric October 19, 2022 at 1:41 PM #

    Add a few lines to make it easier

    cp $DIR/CHECKSUMS/sha1sum_latest.log $DIR/CHECKSUMS/sha1sum_previous.log
    cp $DIR/CHECKSUMS/sha1sum_zimbra_”$HN”_”$dt”.log $DIR/CHECKSUMS/sha1sum_latest.log

    cat $DIR/CHECKSUMS/sha1sum_previous.log | sort -k2 > $DIR/CHECKSUMS/sha1sum_previous_sorted.log
    cat $DIR/CHECKSUMS/sha1sum_latest.log | sort -k2 > $DIR/CHECKSUMS/sha1sum_latest_sorted.log
    echo “******************* COMPARE *******************”
    diff -Naur $DIR/CHECKSUMS/sha1sum_previous.log $DIR/CHECKSUMS/sha1sum_latest.log

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures