[CentOS] reinventing the wheel? page checker

Fri Jun 22 18:28:34 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

On 6/22/2012 9:50 AM, m.roth at 5-cent.us wrote:
> Bob Hoffman wrote:
>> On 6/21/2012 12:44 PM, Keith Roberts wrote:
>>> On Thu, 21 Jun 2012, Bob Hoffman wrote:
>>>> From: Bob Hoffman<bob at bobhoffman.com>
>>>> Not sure if there is an app like this yet.
>>>> I want to keep tabs on my web applications and thought of using a 'page
>>>> checker'/
>>> *snip*
>>>> Anything out there like that?
>>> http://www.changedetection.com/
> <snip>
> As I said originally, you might want to check out rkhunter. It'll check
> your system for rootkits, and once configured - which isn't a big deal,
> just a configuration file - will complain when run if something's changed.
> You can tell it to look at your web pages.
> Another thing to consider (and I really, really don't enjoy suggesting
> it), is selinux. Turn it on to at least permissive, and it'll bitch and
> moan if something's changed. Turn it to enforcing, and *nothing* will be
> allowed to be changed. It is, however, a royal pain to configure, esp.
> when you want to be able to allow a directory for users to put pics.
>         mark
Would love to use SElinux. I searched high and low for any kind of 
manual and there was none.
Most of the information online was for versions that were not on centos 
6, and little info on centos 6.
I am considering going back to it for the virtual hosts, dns servers, 
but for production web servers
I think it will take a long time.
I know that fail2ban will not work properly with it in any case, as per 
their own website.

It seems that to run the webservers selinux wants me to allow a ton of 
privledges to apache, the ftp user, and a bunch of
other things...seems like that defeats the purpose. And a script 
injection will have all those privledges.

I wish I had to time and knowledge to implement it...and add it to my 
handbook, but on a webserver that
is doing mail ins, mail outs, httpd, mysql, php, self made scripts, 
fail2ban, and host of other programs
it seems like it requires an experienced hand at it. Or a book.
Neither of which are available to me.

Who knows, once I figure out the mutli_mysql back up, amanda, then I may 
go for it.

One thing I learned...SElinux in permissive mode only gives a warning 
once for an issue...and never again. Makes it hard
to play with it that way, would prefer a constant error variable to keep 
them coming.

well. We derailed.