Re: File System Integrity Checker for Sarge
On Monday, 2005-01-03 at 00:45:02 +0100, jorge salamero wrote:
> on Sun, 2 Jan 2005 07:30:33 -0600
> hdv@jadev.org (J.A. de Vries) wrote:
> > Read this page to compare the most popular IDSes. It is written by the
> > author of samhain, but it still is useful as a reference:
> > http://www.la-samhna.de/library/scanners.html
> it seems that samhain is the most complete.
> any other comparations or users comments about missing features in this article ?
I did a comparison once, and here are the things I checked that that
comparison does not cover:
- Attributes: Tripwire and AIDE have the most comprehensive set, with
(from the twpolicy manpage):
a Access timestamp
b Number of blocks allocated
c Inode timestamp (create/modify)
d ID of device on which inode resides
g File owner's group ID
i Inode number
l File is increasing in size (a "growing file")
m Modification timestamp
n Number of links (inode reference count)
p Permissions and file mode bits
r ID of device pointed to by inode
(valid only for device objects)
s File size
t File type
u File owner's user ID
This information is missing from my samhain entry. The samhain manual
lists these:
* the inode of the file,
* the type of the file,
* owner and group,
* access permissions,
* on Linux only: flags of the ext2 file system (see man chattr),
* the timestamps of the file,
* the file size,
* the number of hard links,
* minor and major device number (devices only)
* and the name of the linked file (if the file is a symbolic link).
- List of available checksums.
- Can filenames be specified with regular expressions?
- Are multiple overlapping filespecs possible?
- Is macro substitution supported, for what?
- Which notification mechanisms are supported?
- Is the level of detail in these notifications configurable?
- For which platforms is the tool supported/packaged?
HTH,
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you |
| ask what you can do for your computer. |
Reply to: