On Sat, Aug 22, 2009 at 10:49 AM, Bill Campbell centos@celestial.com wrote:
On Fri, Aug 21, 2009, Dave wrote:
On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrlich@gmail.com wrote:
... stuff deleted
On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcentos@celestial.com wrote:
To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide,
One of the problems I've found with tripwire in particular and aide to a lesser extent is that they (a) tend to be very verbose even when nothing has changed, and (b) updating their database is fairly complex. I have developed a system that we use here and at our client sites that uses the tripwire formatted configuration files, but maintains its own database, and produces minimal reports of changes (none of nothing has changed). Updating its database after changes have been checked and verified is a simple file ``mv'' command.
Another open source tool you might want to consider.
http://ftimes.sourceforge.net/FTimes/index.shtml
-- Drew Einhorn