On Mon, Jun 12, 2006 at 03:57:11PM +0200, Marco Fioretti wrote: > Hello, > > when one has physical access to a computer, he > can run something like tripwire, with keys and > checksum on a separate, write-only media, to > verify the integrity of the system. > > What if the system is a remote one (in my case > Centos 4.3 on a User Mode Linux VPS some hundred > of KMs from here)? > > Does it still make sense to run tripwire remotely? > If yes, how, since you cannot plug a floppy or USB > drive in the machine? > > What if tripwire was never ran? Does it make sense, on > a Centos system without physical access, to download there > and run remotely one of those rootkit detection tools? > Would its findings be surely accurate? > > Generally speaking, how does one handle these issues on > remote systems? > Thanks in advance for any comment, Hello, You may be interested in Osiris: <http://osiris.shmoo.com/data/osiris-4.1.5.tar.gz> It uses a client-server model to perform host integrity checking. The osiris daemon on your VPS communicates securely with a monitor console application at your location. Come to think of it, it's a lot like how commercial alarm systems work. Also I have found both chkrootkit and rkhunter useful, they are not as smart as a real person but may help warn you that you should check the system like a check engine light inside a car... > Marco > - Mike