[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: File System Integrity Checker for Sarge



On Monday, 2005-01-03 at 00:45:02 +0100, jorge salamero wrote:
> on Sun, 2 Jan 2005 07:30:33 -0600
> hdv@jadev.org (J.A. de Vries) wrote:

> >  Read this page to compare the most popular IDSes. It is written by the
> >  author of samhain, but it still is useful as a reference:

> >  http://www.la-samhna.de/library/scanners.html

> it seems that samhain is the most complete.

> any other comparations or users comments about missing features in this article ?

I did a comparison once, and here are the things I checked that that
comparison does not cover:

- Attributes: Tripwire and AIDE have the most comprehensive set, with
(from the twpolicy manpage):

            a     Access timestamp
            b     Number of blocks allocated
            c     Inode timestamp (create/modify)
            d     ID of device on which inode resides
            g     File owner's group ID
            i     Inode number
            l     File is increasing in size (a "growing file")
            m     Modification timestamp
            n     Number of links (inode reference count)
            p     Permissions and file mode bits
            r     ID of device pointed to by inode
                  (valid only for device objects)
            s     File size
            t     File type
            u     File owner's user ID

This information is missing from my samhain entry. The samhain manual
lists these:

    * the inode of the file,
    * the type of the file,
    * owner and group,
    * access permissions,
    * on Linux only: flags of the ext2 file system (see man chattr),
    * the timestamps of the file,
    * the file size,
    * the number of hard links,
    * minor and major device number (devices only)
    * and the name of the linked file (if the file is a symbolic link). 

- List of available checksums.
- Can filenames be specified with regular expressions?
- Are multiple overlapping filespecs possible?
- Is macro substitution supported, for what?
- Which notification mechanisms are supported?
- Is the level of detail in these notifications configurable?
- For which platforms is the tool supported/packaged?

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you                              |
| ask what you can do for your computer.                                 |



Reply to: