On Mon, Jun 12, 2006 at 03:57:11PM +0200, Marco Fioretti wrote:
Hello,
when one has physical access to a computer, he can run something like tripwire, with keys and checksum on a separate, write-only media, to verify the integrity of the system.
What if the system is a remote one (in my case Centos 4.3 on a User Mode Linux VPS some hundred of KMs from here)?
Does it still make sense to run tripwire remotely? If yes, how, since you cannot plug a floppy or USB drive in the machine?
What if tripwire was never ran? Does it make sense, on a Centos system without physical access, to download there and run remotely one of those rootkit detection tools? Would its findings be surely accurate?
Generally speaking, how does one handle these issues on remote systems? Thanks in advance for any comment,
Hello,
You may be interested in Osiris: http://osiris.shmoo.com/data/osiris-4.1.5.tar.gz
It uses a client-server model to perform host integrity checking. The osiris daemon on your VPS communicates securely with a monitor console application at your location.
Come to think of it, it's a lot like how commercial alarm systems work.
Also I have found both chkrootkit and rkhunter useful, they are not as smart as a real person but may help warn you that you should check the system like a check engine light inside a car...
Marco
- Mike