Adam Hardy wrote:
Martin on 12/08/08 16:34, wrote:On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <adam.ant@cyberspaceroad.com> wrote:The question is, what do I replace chkrootkit with, especially if stuff likerkhunter's not much better?tripwire maybe? apt-cache show tripwire Description: file and directory integrity checker Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. Tag: admin::monitoring, interface::commandline, interface::daemon, role::program, security::ids, security::integrity, use::monitor, works-with::file, works-with::mailI don't have access to a floppy or cdrom drive - the server is hosted somewhere at an ISP. I think any cracker would just re-run tripwire if they found it installed.Perhaps I could write a script to retrieve some hashes from another server? Does that make sense?
One script I use for a similar purpose is "hashall.sh": #!/bin/shfind / \( ! -wholename "/sys/*" \) \( ! -wholename "/proc/*" \) -type f -print0 | sort -z | xargs -0 sha1sum > `date | sed -e 'y/ :/__/'`.hashes
Basically, find every file on disk, take sha1sum, and output it in a sorted list. Run this twice and the resulting output is comparable with "diff" to quickly see what has changed.
I currently use this after a new install just to get a snapshot of the base state so I can identify changes. But my plan is to have two servers monitor each other by having each
1) SCP over a "clean" copy of find, sort, xargs, and sha1sum 2) Run this on the whole server 3) Compare the result to a known "clean run"Granted, a recursive sha1sum isn't cheap, but it can be toned down by tightening up the rules to cut out files you don't care about.
-david