On Du, 13 feb 11, 08:31:55, Andrew Reid wrote: > > <rant, severity=minor> > > What I actually was looking for was a Debian-aware intrusion > detection system -- I had a problem where, when I did package updates > on all our workstations, the IDS would report all these file changes, > and there didn't seem to be an alternative to manually OK-ing all of > them, which is tedious and potentially error-prone -- if an attack > occurs on update day, I am likely to miss it in all the spurious IDS > traffic. It seemed to me that a sensible option would be to have an > IDS that would notice when files had been changed by apt, and not > report those changes, just fold them into the database of the system > state. It's probably sufficient for my purposes to have a rule that > says "if the file has changed, but is controlled by a package, and > changed within <x> seconds of that package being updated, update teh > database to reflect this change, and do not report it." > > > Obviously, the down-side of this is that adding any kind of > do-not-report hook to the IDS is a potential exploit, since > it could presumably be spoofed, but it seemed like a positive > cost-benefit balance to me. > > I never did find such a tool. Some IDSs have a lot of hooks > for custom scripts, so it may be possible to roll one's own, but > I didn't get that far with it. AFAIK dpkg can run hooks on many (all?) actions. In theory you could write a hook to have dpkg itself update the IDS database with the new files. HTH, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature