MLUG: Mizzou Linux Users GroupHome | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact
MLUG: RE: [MLUG] Tripwire
RE: [MLUG] Tripwire
Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
There are other options, besides Tripwire. Tripwire requires a pretty serious on-going committment from you (continual update of the database, burning to read-only media, constant monitoring). IMHO, Tripwire is really more of a forensic tool, something to help you track down exactly what has been hacked, after you've detected the hack. Unless you can committ permanent security staff, it's probably too much tool.

If your goal is to set up some sort of automatic IDS, you might look into:

TARA (Tiger Analytical Research Assistant, http://www-arc.com/tara/index.shtml). From the readme: "..tiger is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. 'tiger' was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). As such, we needed something that *anyone* could run if they could figure out how to get it down to their machine."

TARA is great at fereting out all kinds of problems, and has a nice help file to help you figure out what to do with them. When you set up the automatic runs from cron, it will start off really noisy, and then settle down, only alerting you if there is a change to your system.

If you really want to set up file integrity testing, you may want to read this article:
http://www.unixreview.com/documents/s=7459/uni1030462740022/
the last half of which has a script which uses the RPM database's checksums for a quick integrity check. The first half has some good information on how to set up Portsentry--though the links are old, Portsentry is now being maintained as an independent product, since Cisco bought out Psionic. Here's a current link:
http://sourceforge.net/projects/sentrytools

------------------------------------------
HARDY POTTINGER <EMAIL:PROTECTED>
I-Net Administrator, UM LSO/MCO
...PGP Public Key...
  http://mco.mobius.missouri.edu/~hardy/
...worth a look...
  http://www.learningpeace.com/pages/HH_8keys.htm
  http://www.spiritualityhealth.com/newsh/lists/pth_newsitem.html
------------------------------------------ 

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Questions? Comments? Feel free to contact MLUG.
DMCA and other copyright information.