From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 11:17:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1897716A4CE for ; Wed, 14 Jan 2004 11:17:24 -0800 (PST) Received: from web12606.mail.yahoo.com (web12606.mail.yahoo.com [216.136.173.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 2318843D45 for ; Wed, 14 Jan 2004 11:17:23 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040114191722.88525.qmail@web12606.mail.yahoo.com> Received: from [128.226.68.47] by web12606.mail.yahoo.com via HTTP; Wed, 14 Jan 2004 11:17:22 PST Date: Wed, 14 Jan 2004 11:17:22 -0800 (PST) From: Dorin H To: hawkeyd@visi.com In-Reply-To: <20040114134215.GA21307@sheol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 19:17:24 -0000 --- D J Hawkey Jr wrote: > Hi all. > > This might seem really naive, but can mtree be used > effectively as > a native-to-core-OS tripwire equivalent? Would it be > as efficient in > terms of time-to-run and resource requirements? > Theoretically, and practical for small configurations, yes. > What sort of pitfalls should I be aware of? > IMHO, you can use any tool you want to compute some "signature" for files you deem relevant. But you have to carefully consider the scalability problem, the problem of false/negatives (how you/your program deal with a modified file? bin/config/data/tmp file) and so on. Tripwire (coorect me if I am wrong, but last time I looked it was still to be updated in FreeBSD, focus was on "aide") is a targetted tool that helps with the information management... probably bloated :). Like any tool, it is up to you to decide what's useful or not ;) HTH, /Dorin. > Has anyone here done this? If so, would you care to > share your > scripts/techniques? > > Thanks, > Dave > > -- > ______________________ > ______________________ > \__________________ \ D. J. HAWKEY JR. / > __________________/ > \________________/\ hawkeyd@visi.com > /\________________/ > http://www.visi.com/~hawkeyd/ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus