The only problem with tripwire is that u have to set up the snapshot file on write protected media to have true security. If somebody hacks ur box they can just reupdate tripwire themselves and u'll be none the wiser. This can be an administrative hassle to update the snapshot and move it to something write protected (nfs, floppy, cd) everytime u change anything on the system. What's more is that even if u have it write protected somebody can just hack the tripwire executable to send u dummy alls-well messages while they're infilitrating ur box even more. For this reason every tripwire (or any like package) file needs to also be on the write protected media and preferably run remotely. U can do this by setting up an ultra secure "security box" somewhere on ur network and then mount all file spaces of all ur production boxes on it with nfs or samba or something. That way u can scan the files without regard to whether the box is compromised or not. And obviously if the mount goes down, indicating a possible hacker, alerts would be sent out. And when u do update the snapshot, don't just do a global update whenever u change /etc/passwd, only update for the files that u actually modified, otherwise some hacker can slide some hacked files into the snapshot if he hacks u at that same time. It's a security race condition. So in summary, just be paranoid, and think like a hacker.
-- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- "...ne cede males" 00000100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
