[svlug] a problem with Tripwire...- another silly altnernative

[Alvin Oga]

hi ya tripwire-ers...

for the fun of it... why not use other options besides
or in addition to tripwire ???
	- and yeah...i like tripwire-1.x....but...

i wrote something simple and fast ( 1 hr or so of playing )...
to do something similar... was done in fun... which turned
into something semi-useful

idea....
    run check sums on the files i care about
    and send me an email about binaries/config files i care abot

ie...  call this script from cron ( hourly )...

    if initialize
	initialize_chk-sum=`tar cvf - /etc/passwd /bin/login | sum `
	echo $initialize_chk > /root/secure_sum.txt  ( local tests )
	echo $initialize_chk > /mnt/floppy  ( save offline )
    else
	test = ` tar cvf - /etc/passwd /bin/login | sum `
	if  $test != `cat /root/secure_sum.txt `
	then
		raise the red flag and start looking
		send emails...
		send pages..
		show whats different ???
		shutdown thyself ???
 	fi	
    fi

have fun tripping...
alvin

http://www.linux-consulting.com/Security/CheckSum.sh.txt
	- for a quickie...it works....sorta...within its limits/limitation...

> > Yes, Rick, I've seen the Why Not Tripwire page [1]....

...
 
> > I will be looking into AIDE, and I recently heard about something
> > called LIDS. Any other contenders?
> 
> LIDS is not quite the same thing.  It's a set of kernel modifications
> and related tools to implement a "Mandatory Access Control" system:
> That is, it's one of the attempts to graft the "capabilities" model onto
> Linux, whereby files/devices are accessible only to specific users'
> processes, important processes are hidden and therefore less subject to 
> being killed off or tampered with, and alarms and (limited)
> countermeasures can occur in the event of compromise.  This entails
> limitations on what even the root user will be allowed to do during
> normal operation.
> 
> Unixes can't really fully support the capabilities model, because it
> doesn't have a fine-grained enough permissions system.  For comparison's
> sake, here's a system being written from the ground up specifically to
> be able to support such a model:  http://www.eros-os.org/
> 
> You may also be interested in reading:
> 
> http://www5.custhelp.com/cgi-bin/varesearch/solution?11=000828-0000&130=0967486725&14=&2715=&15=&2716=&57=faq&58=&2900=29PwvGGqTB&25=6
> 
> -- 
> Cheers,                   "Teach a man to make fire, and he will be warm 
> Rick Moen                 for a day.  Set a man on fire, and he will be warm
> rick at linuxmafia.com       for the rest of his life."   -- John A. Hrastar
>