On Wed, 06 Feb 2008 at 05:16:05PM +0000, Russell Gadd wrote:
> I would use a second system multibooted on the same PC. My boot manager can
> set up a partition for the target system to be checked (I'll call it "Main")
> and a separate partition for the checking system ("Checker"). On booting the
> boot manager rewrites the Master Boot Record partition table so that Main
> only sees it own partition. But when Checker is booted it sees both with
> Main's partition mounted read-only under a subdirectory of its own root.
> Checker will create and check MD5 signatures for an appropriate subset of
> Main's file structure, probably using AIDE or possibly Tripwire.
Somepeople build an AIDE database then brun it to a read-only
medium, and run off that. I use a combination of aide,
check root kit, rootkit hunter, and tiger all available in Debian
Etch.
chkrootkit
rkhunter
aide
tiger
You do get false positives, so be warned. I don't bother with a
separate monitoring system, or read-only copies.
--
Adam Trickett
Overton, HANTS, UK
With ... the fact that Linux has become so easy to install that
certain species of bacteria are now being hired by MIS departments,
what was once the domain of rigorously trained, highly specialised
professionals has devolved into the Dark Land of the Monkeys.
-- Greg Knauss
