Many Choices for AIX File Integrity

Many Choices for AIX File Integrity




Recently, I was on a disaster recovery (DR) exercise that was going extremely well, until I had to restore a DB2 database. The restore failed due to a corrupted image. The image had been transferred from an external secure network to our DR site, so it should have been good I thought.

I checked the image size on the source and destination and both matched up OK. Next task to do was to check the integrity of the image. By that I mean compare the signature of the source and destination to confirm that the signatures match up, using the same algorithm. Signatures are sometimes referred to (though incorrectly) as checksums, digest, hashes or fingerprints. For this article, I will stick with signatures to avoid any confusion.

Plenty of data integrity tools exist, but you don’t need them to do an ad hoc check on files. The integrity tools available with AIX are:

  • csum
  • cksum
  • sum
  • openssl
  • shasum

File integrity checks that there’s been no alteration—no addition or deletion of parts of the file from source to destination. It, in essence, checks that the file hasn’t been tampered with.

When producing a signature from a file, it can be considered a one-way signature, in that it looks at the input, which is the file, and produces a unique signature as its output based on the input. Two of the most popular algorithms used to generate signatures are: SHA (secure hash algorithm) and MD5. SHA is considered the best for signature uniqueness. SHA will generate a 20-byte and the MD5 will generate 16-byte signature. Clearly the longer the signature, the better chance or probability of obtaining uniqueness.

When generating a signature, you need to be pretty confident it will be unique with a high probability that it cannot be duplicated against another file. When you produce a signature on a file, say at the source location, be sure you use or inform the users comparing the file at the destination the algorithm originally used. If you don’t, it won’t be the same signature, which makes the use of comparing signatures in files rather redundant.

Let’s looks at how to use some of the AIX included utilities.

A Plethora of Tools

Using csum on a file using both algorithms returns:

#  csum -h MD5 myfile
670e251013ea807980baef53268ee264  myfile
# csum -h SHA1 myfile
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile

Note in the output I specified MD5, however by default if no algorithm specified it will use MD5. Also notice the longer signature for the SHA1. Of course you can specify patterns to match many files in one hit, like:

# csum -h SHA1 myfile* 
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
c4cfa40c7076f04bc128038f4aa335ffb20e98a6  myfile2

You can also direct the output to a test file. This is handy when you’re dealing with many files and wish to compare (probably within a shell script) the signatures at the destination side. The following csum output is put in the file, out_file:

# csum -o out_file -h SHA1 myfile*

The cksum is slightly different in that it produces a checksum and the byte count of the file. In this demonstration, both files have the same content. But note though they’re the same byte count, the checksum is different. The output of the command is quite useful when doing a compare of files. One simply reads in the file from within a script and then does another cksum on the original file(s) to see if there have been any changes.

# cksum myfile*
3224161752 1058 myfile
3347010591 1058 myfile2

If you have OpenSSL installed, then you have two further options for file integrity checks, spoiling you with choices. The command shasum also ships with openssl, and you use this to generate the signature.

# openssl sha1 myfile*
SHA1(myfile)= 550b856b4bd36229d5790d4c33cc75fb8dd0b8c4
SHA1(myfile2)= c4cfa40c7076f04bc128038f4aa335ffb20e98a6

# shasum myfile*
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
c4cfa40c7076f04bc128038f4aa335ffb20e98a6  myfile2

Of course, you can redirect the output to a file and then re-issue shasum to verify the signature. It will output OK if the verification check is good:

# shasum  myfile >test
# cat test
550b856b4bd36229d5790d4c33cc75fb8dd0b8c4  myfile
# shasum  -c test

Essential for Success

File checking is essential when you need to verify that the file hasn’t been tampered with. In my case, I found that the signature of the transferred file didn’t match at the DR exercise. I discovered that the DB2 image was transferred as text and not as binary mode. So it then got re-transferred correctly as binary and the signatures matched up when I checked them. The restore was successful.

0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
ILMT Procedure - ILMT / TAD4D / SUA / BFI
Viewed 9621 times since Fri, Jul 5, 2019
The new VIOS performance advisor tool part util
Viewed 2778 times since Tue, Jun 4, 2019
Part 2, NFS monitoring and tuning
Viewed 5956 times since Mon, Jun 4, 2018
Configuration of AIX Fast Connect and SMBFS
Viewed 7868 times since Mon, Jun 18, 2018
Installation of the Virtual I/O Server directly from the HMC
Viewed 17973 times since Tue, Jun 4, 2019
Finding password rules in AIX
Viewed 2264 times since Mon, May 28, 2018
My LPAR always boots into SMS. Why?
Viewed 3067 times since Tue, Apr 16, 2019
AIX - How to get CPU infomation
Viewed 4405 times since Fri, Jun 8, 2018
Problems with NFS on an AIX Reboot? Then Go Single
Viewed 5916 times since Wed, May 30, 2018
AIX, Storage, System Admin↑ Identifying a Disk Bottleneck Using filemon
Viewed 9348 times since Fri, Apr 19, 2019