Re: [PLUG] weird process? (file integrity monitoring)

JP Vossen on 4 Nov 2008 21:54:39 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] weird process? (file integrity monitoring)

From: JP Vossen <jp@jpsdomain.org>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] weird process? (file integrity monitoring)

Date: Wed, 05 Nov 2008 00:54:31 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

> Date: Tue, 4 Nov 2008 20:44:24 -0500 > From: "Michael Lazin" <microlaser@gmail.com> > Subject: Re: [PLUG] weird process? > > by the way, if you find any files that you don't recognize you can grep for > their time stamp File integrity checkers, the best know of which is Tripwire, are handy here, but only if you've installed one originally on a known good system and kept it up-to-date. That's perpetually one of those "I'll get to it later" things, since it can be a pain to configure and maintain them. That's why I like 'fcheck,' which is a Perl script in the Debian/Ubuntu repos. It more-or-less Just Works out of the box, and it's easy to tweak it a bit. It is *less* secure than aide, osiris , or samhain because it only sends a single email when something changes, then assumes the change was legit. On the other hand, it's a LOT more secure than the nothing most systems have. And it's not hard to make an off-line DB backup for comparison if needed. Syntax is simple and it's Perl so it's easily hackable. (And yes, it runs on Windows. :) I highly recommend everyone look into it. Failing that, there's a database of known file hashes at http://www.nsrl.nist.gov/. Unfortunately, at a quick glance it's not clear that it contains hashes for recent Linux systems (it's mostly Windows). There's some Red Hat in there, but it's old (e.g. 7.x). It would be a lot of work, but it would be possible to build a similar system, rev it up to the right level, and hash it, then compare. That's probably vast overkill in this case, but it's interesting to think about. Good luck, JP ___________________________ Related tools in Hardy: * aide - Advanced Intrusion Detection Environment - static binary * debsums - Verify installed package files against MD5 checksums. * fcheck - IDS filesystem baseline integrity checker * integrit - A file integrity verification program * osiris - network-wide system integrity monitor control interface * samhain - Data integrity and host intrusion alert system * stealth - A stealthy File Integrity Checker * tripwire - file and directory integrity checker ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] weird process?

Next by Date: Re: [PLUG] turning tmobile G1 into a wifi access point?

Previous by thread: Re: [PLUG] weird process?

Next by thread: Re: [PLUG] turning tmobile G1 into a wifi access point?

Index(es):

Date

Thread