Idea for a security program

[blu at vl.com (Tom Metro)]

Bob - BLU wrote:
>David Kramer wrote:
>> ...both chkrootkit and rkhunter seem to give lots of false positives...
>
> I wrote a wrapper scripts for these.  It dumps the output to a file,
> then compares to the previous night's output.  If there is a difference
> then it emails me.  The idea is that you review the output initially,
> then monitor for changes.

That's the first thing I did after setting up integrit, another file 
system integrity checker. (I'd be happy to share the scripts with anyone 
interested.)

While technically generating only delta reports is less secure, getting 
constantly growing report emails every day (as is the default with most 
of these tools) is similarly insecure, as anything important will end up 
buried. The developers of these tools seem to assume that every admin 
has the time to rerun a script - usually requiring a pass phrase - to 
reset the baseline after every change to the system. Sure, it's more 
secure, but impractical if you aren't a full time admin.

With the setup I have on my mail server, most changes are documented 
with 3 emails to root: a notice from CRON-APT saying updates are 
available, a log file from aptitude saying which packages were upgraded, 
and a report from integrit showing what individual files and directories 
where altered. It's very easy to spot unexpected changes, and with a 
historical archive of delta reports from integrit, I can see how files 
were altered over time.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.