The only problem with tripwire is that u have to set up the snapshot file on
write protected media to have true security. If somebody hacks ur box they
can just reupdate tripwire themselves and u'll be none the wiser. This can
be an administrative hassle to update the snapshot and move it to something
write protected (nfs, floppy, cd) everytime u change anything on the system.
What's more is that even if u have it write protected somebody can just hack
the tripwire executable to send u dummy alls-well messages while they're
infilitrating ur box even more. For this reason every tripwire (or any like
package) file needs to also be on the write protected media and preferably
run remotely. U can do this by setting up an ultra secure "security box"
somewhere on ur network and then mount all file spaces of all ur production
boxes on it with nfs or samba or something. That way u can scan the files
without regard to whether the box is compromised or not. And obviously if
the mount goes down, indicating a possible hacker, alerts would be sent out.
And when u do update the snapshot, don't just do a global update whenever u
change /etc/passwd, only update for the files that u actually modified,
otherwise some hacker can slide some hacked files into the snapshot if he
hacks u at that same time. It's a security race condition. So in summary,
just be paranoid, and think like a hacker.
REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=--
"...ne cede males"