Date: Wed, 24 Feb 2016 09:04:58 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: Robert Ayrapetyan <robert.ayrapetyan@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: verify FreeBSD installation In-Reply-To: <56CD2EE3.5080009@gmail.com> References: <56CD2EE3.5080009@gmail.com>
| previous in thread | raw e-mail | index | archive | help
> Hi. Is there any reliable way to verify checksums of all local files for some > FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed > FreeBSD instances, how can I be sure there are no any patches\changes in a > kernel\services etc? At the filesystem-level there's security/integrit which we use with a wrapper script for readable reports. Integrit replaced tripwire when that company moved away from FOSS. >From the configuration-level there's 'pkg info', 'sysrc -a', 'ipfw sh', ... and of course the parsed output from /var/log/* to add real-time monitoring. I also recommend supplementing these tools with revision tracking for anything host-specific and non-binary such as /etc/periodic/*/* and /etc/rc.*. RCS works well for this on the localhost-level. On a large scale ansible is my tool of choice for pulling this information from any number of hosts into hg or git from which deltas and other reports can be easily generated. If you manage a large number of hosts and are interested in helping to pull all of these tools into a pkg/port let me know. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>