On Friday 11 January 2008 14:13, Forest Bond wrote: > Hi, > > On Fri, Jan 11, 2008 at 01:55:46PM -0600, tweeks wrote: > > On Friday 11 January 2008 06:44, Jeremy Sanders wrote: > > > Jordi Prats wrote: > > > > You could use tripwire to check periodically all files instead of > > > > relay on the file system for that task. (I think no file system does > > > > this checking by now) > > > > > > That's a possible idea. > > > > > > I would have thought it would be relatively simple to write a block > > > device which acted a layer between the file system and real block > > > device. I suppose the difficultly is getting all the corner cases > > > correct. I've never written any kernel code, so maybe I should > > > investigate doing that for fun... > > > > All files in the system are already hashed. You can see this by doing > > an "rpm -Va". For example.. to create a baseline of a system to compare > > against, just cron a script to: > > rpm -Va > /root/RPMV/system-rpm-baseline.txt > > > > then once/day or whatever, do a diff... or just grep for any "bin" > > directory changes and diff that. I like this better than messing with > > tripwire. It's already there, native, and easy to use. > > This is specific to: > > * RPM-based systems > * files provided by RPMs > Consequently, it's only useful on certain systems, Heh.. well.. last I checked, this is a redhat ext3 list. Red hat uses rpm.. and no one but Red hat still actually uses ext3 right? (hehe)... > and, even then, only > with certain files. That's not very good coverage, is it? Uhh.. all SYSTEM files.. which is all I'm looking at when doing compromise checks (except for root kits, etc.. for which I use separate tools). > This is especially true when you consider that the files that came from the > package manager are usually the ones that you don't care about as much when > you've lost data. You tripwire scan data files? Hmm.. I've seen hundred of compromised servers... 80-90% of them can be detected with a simple RPM scan. The ones you can't are the ones where hacks have deleted the RPM DBs. but in that case, your baseline diff sets off red flags anyway. It's actually a pretty good scan to run nightly/weekly, etc (along with root kit scans, etc). In fact.. I prefer using unorthodox detection methods rather than well known forms of F.A.M. (file alteration monitoring) like tripwire which if seen, are instantly attacked and disabled. Tweeks Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace Managed Hosting. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse@xxxxxxxxxxxxx, and delete the original message. Your cooperation is appreciated. _______________________________________________ Ext3-users mailing list Ext3-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/ext3-users
