Many Choices for AIX File Integrity

Many Choices for AIX File Integrity




Recently, I was on a disaster recovery (DR) exercise that was going extremely well, until I had to restore a DB2 database. The restore failed due to a corrupted image. The image had been transferred from an external secure network to our DR site, so it should have been good I thought.

I checked the image size on the source and destination and both matched up OK. Next task to do was to check the integrity of the image. By that I mean compare the signature of the source and destination to confirm that the signatures match up, using the same algorithm. Signatures are sometimes referred to (though incorrectly) as checksums, digest, hashes or fingerprints. For this article, I will stick with signatures to avoid any confusion.

Plenty of data integrity tools exist, but you don’t need them to do an ad hoc check on files. The integrity tools available with AIX are:

  • csum
  • cksum
  • sum
  • openssl
  • shasum

File integrity checks that there’s been no alteration—no addition or deletion of parts of the file from source to destination. It, in essence, checks that the file hasn’t been tampered with.

When producing a signature from a file, it can be considered a one-way signature, in that it looks at the input, which is the file, and produces a unique signature as its output based on the input. Two of the most popular algorithms used to generate signatures are: SHA (secure hash algorithm) and MD5. SHA is considered the best for signature uniqueness. SHA will generate a 20-byte and the MD5 will generate 16-byte signature. Clearly the longer the signature, the better chance or probability of obtaining uniqueness.

When generating a signature, you need to be pretty confident it will be unique with a high probability that it cannot be duplicated against another file. When you produce a signature on a file, say at the source location, be sure you use or inform the users comparing the file at the destination the algorithm originally used. If you don’t, it won’t be the same signature, which makes the use of comparing signatures in files rather redundant.

Let’s looks at how to use some of the AIX included utilities.

A Plethora of Tools

Using csum on a file using both algorithms returns:

#  csum -h MD5 myfile
670e251013ea807980baef53268ee264  myfile
# csum -h SHA1 myfile
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile

Note in the output I specified MD5, however by default if no algorithm specified it will use MD5. Also notice the longer signature for the SHA1. Of course you can specify patterns to match many files in one hit, like:

# csum -h SHA1 myfile* 
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
c4cfa40c7076f04bc128038f4aa335ffb20e98a6  myfile2

You can also direct the output to a test file. This is handy when you’re dealing with many files and wish to compare (probably within a shell script) the signatures at the destination side. The following csum output is put in the file, out_file:

# csum -o out_file -h SHA1 myfile*

The cksum is slightly different in that it produces a checksum and the byte count of the file. In this demonstration, both files have the same content. But note though they’re the same byte count, the checksum is different. The output of the command is quite useful when doing a compare of files. One simply reads in the file from within a script and then does another cksum on the original file(s) to see if there have been any changes.

# cksum myfile*
3224161752 1058 myfile
3347010591 1058 myfile2

If you have OpenSSL installed, then you have two further options for file integrity checks, spoiling you with choices. The command shasum also ships with openssl, and you use this to generate the signature.

# openssl sha1 myfile*
SHA1(myfile)= 550b856b4bd36229d5790d4c33cc75fb8dd0b8c4
SHA1(myfile2)= c4cfa40c7076f04bc128038f4aa335ffb20e98a6

# shasum myfile*
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
c4cfa40c7076f04bc128038f4aa335ffb20e98a6  myfile2

Of course, you can redirect the output to a file and then re-issue shasum to verify the signature. It will output OK if the verification check is good:

# shasum  myfile >test
# cat test
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
# shasum  -c test

Essential for Success

File checking is essential when you need to verify that the file hasn’t been tampered with. In my case, I found that the signature of the transferred file didn’t match at the DR exercise. I discovered that the DB2 image was transferred as text and not as binary mode. So it then got re-transferred correctly as binary and the signatures matched up when I checked them. The restore was successful.

0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Part 1, Memory overview and tuning memory parameters AIX7
Viewed 3965 times since Wed, Jun 19, 2019
AIX NTP Client configuration
Viewed 11575 times since Tue, Jul 17, 2018
Burn Image to DVD in AIX
Viewed 13202 times since Thu, Sep 20, 2018
Epoch & Unix Timestamp Conversion Tools
Viewed 46576 times since Fri, Jun 22, 2018
Oslevel shows wrong AIX’s level. Why
Viewed 4532 times since Thu, Feb 21, 2019
AIX rootvg Mirroring
Viewed 4302 times since Mon, May 21, 2018
Awesome Command to show top 15 processes using memory on AIX
Viewed 23543 times since Thu, Nov 29, 2018
Calculate hdisk READ / WRITE throughput (sequential IO) from AIX systems
Viewed 2470 times since Thu, Feb 21, 2019
IVM and VLAN Tagging
Viewed 10108 times since Mon, May 28, 2018
Do you Know These 5 Use of V$session View ?
Viewed 99450 times since Thu, Jun 21, 2018