Re: File system integrity checkers - comparison?
Johannes Graumann <graumann@its.caltech.edu> writes:
> I'm looking at this triade:
> Tripwire
> Aide
> Fcheck
> and was wondering as to what this group is prefering and why or
> whether there are other more trusted alternatives.
You might want to include integrit and samhain as well. May filetraq
too.
I'm using integrit, fcheck and filetraq on a fairly minimal internal
server running sarge.
Integrit is fine, plenty of ways to customize it to your setup and I
use it with a daily cron job (I believe that's what the default setup
does, but I've mucked around with that). These runs check the whole
system (in principle everything below /) quite thoroughly.
Fcheck is not as flexible (I'm thinking of replacing it with aide
once I have some time) but I use it for a quick hourly check of the
more important stuff (/bin, /sbin, /lib and the /usr versions of
these)
I used to have fcheck go over /etc as well, but am using filetraq
for that now. The main advantage is that it will keep time-stamped
backups of all files so you can go back a version or more. Drawback
is that you may have to clean out the backups occasionally. What I
like most though, is that it sends you diffs(!) of the changes made
to any file monitored. I think my set up check every 10 minutes or
so for changes.
> My main argument ageinst tripwire is it's pseudo-commercial source.
If it ain't in main, it ain't debian :-P
--
Olaf Meeuwissen EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
Penguin's lib! -- I hack, therefore I am -- LPIC-2
Reply to: