David Barrett on 13/08/08 20:22, wrote:
Adam Hardy wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy
<adam.ant@cyberspaceroad.com> wrote:
The question is, what do I replace chkrootkit with, especially if
stuff like
rkhunter's not much better?
[snip]
One script I use for a similar purpose is "hashall.sh":
#!/bin/sh
find / \( ! -wholename "/sys/*" \) \( ! -wholename "/proc/*" \) -type
f -print0 | sort -z | xargs -0 sha1sum > `date | sed -e 'y/
:/__/'`.hashes
Basically, find every file on disk, take sha1sum, and output it in a
sorted list. Run this twice and the resulting output is comparable
with "diff" to quickly see what has changed.
I currently use this after a new install just to get a snapshot of the
base state so I can identify changes. But my plan is to have two
servers monitor each other by having each
1) SCP over a "clean" copy of find, sort, xargs, and sha1sum
2) Run this on the whole server
3) Compare the result to a known "clean run"
Granted, a recursive sha1sum isn't cheap, but it can be toned down by
tightening up the rules to cut out files you don't care about.
David,
what does \( ! -wholename "/sys/*" \) do? Excludes sys directory?
regards
Adam