On Thu, 2007-10-18 at 12:40 -0400, Matthew Miller wrote: > On Wed, Oct 17, 2007 at 04:27:29PM -0700, Gordon Messmer wrote: > > >subdirectory of some other machine, then running rsync -avn against the > > >live one to see what has changed. > > That might not be good enough. 'rsync -a' will skip more thorough > > checks if two files size and mod times match. An attacker could fairly > > easily produce a binary of the same size, and fix the mod time after > > installation. > > Adding -c will make it do a full checksum of each file. This will be very > slow but hard to trick. Does anyone remember "tripwire"? I used to use it and it worked pretty well. Kept the database on a remote share that was mounted ro when it ran, and rw when the database had to be updated (e.g. after a yum update). ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Death is nature's way of dropping carrier - ----------------------------------------------------------------------
