[CentOS] Check integrity or rootkits on remote server?

Fri Jun 16 10:54:11 UTC 2006
Mike <ekkikrist at yahoo.com>

On Mon, Jun 12, 2006 at 03:57:11PM +0200, Marco Fioretti wrote:
> Hello,
> 
> when one has physical access to a computer, he
> can run something like tripwire, with keys and
> checksum on a separate, write-only media, to
> verify the integrity of the system.
> 
> What if the system is a remote one (in my case
> Centos 4.3 on a User Mode Linux VPS some hundred
> of KMs from here)?
> 
> Does it still make sense to run tripwire remotely?
> If yes, how, since you cannot plug a floppy or USB
> drive in the machine?
> 
> What if tripwire was never ran? Does it make sense, on
> a Centos system without physical access, to download there
> and run remotely one of those rootkit detection tools?
> Would its findings be surely accurate?
> 
> Generally speaking, how does one handle these issues on
> remote systems?
> Thanks in advance for any comment,

Hello,

You may be interested in Osiris:
<http://osiris.shmoo.com/data/osiris-4.1.5.tar.gz>

It uses a client-server model to perform host integrity checking.
The osiris daemon on your VPS communicates securely with a
monitor console application at your location.

Come to think of it, it's a lot like how commercial alarm systems
work.

Also I have found both chkrootkit and rkhunter useful, they are
not as smart as a real person but may help warn you that you
should check the system like a check engine light inside a car...

> Marco
> 

- Mike