Date: Fri, 11 Dec 1998 13:35:21 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: Charles Reese <reese@chem.duke.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging Message-ID: <Pine.BSF.4.05.9812111312140.14530-100000@aniwa.sky> In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Dec 1998, Charles Reese wrote: > Can tripwire be modified to compare two databases rather then one data base > and the current files? I ask because I monitor some systems remotely and I > would like to be able to automatically generate a tripwire database on the > remote system, ftp it to my local site and compare it with a previously > created database that I have stored here on read-only media. It is not > possible for me to use read-only media on the remote machine. Check out L5 from Hobbit. From the README: L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or "find" would, generating listings of anything it finds there. It tells you everything it can about a file's status, and adds on the MD5 hash of it. Its output is rather "numeric", but it is a very simple format and is designed to be post-treated by scripts that call L5. Find it at any good archive of security tools. If file transfer is much of an issue, you can just compare an md5 summary of the entire file and only transfer the whole file when there's a discrepancy. Without read only media, you are vulnerable to someone putting a trojan in place of tripwire, L5, or whatever else you are using If you've got a floppy on hand but it's not big enough for complete sets of checksums then put your checksumming system and summary hashes there. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812111312140.14530-100000>