Johannes Graumann <[EMAIL PROTECTED]> writes: > I'm looking at this triade: > Tripwire > Aide > Fcheck > and was wondering as to what this group is prefering and why or > whether there are other more trusted alternatives.
You might want to include integrit and samhain as well. May filetraq too. I'm using integrit, fcheck and filetraq on a fairly minimal internal server running sarge. Integrit is fine, plenty of ways to customize it to your setup and I use it with a daily cron job (I believe that's what the default setup does, but I've mucked around with that). These runs check the whole system (in principle everything below /) quite thoroughly. Fcheck is not as flexible (I'm thinking of replacing it with aide once I have some time) but I use it for a quick hourly check of the more important stuff (/bin, /sbin, /lib and the /usr versions of these) I used to have fcheck go over /etc as well, but am using filetraq for that now. The main advantage is that it will keep time-stamped backups of all files so you can go back a version or more. Drawback is that you may have to clean out the backups occasionally. What I like most though, is that it sends you diffs(!) of the changes made to any file monitored. I think my set up check every 10 minutes or so for changes. > My main argument ageinst tripwire is it's pseudo-commercial source. If it ain't in main, it ain't debian :-P -- Olaf Meeuwissen EPSON KOWA Corporation, ECS GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 Penguin's lib! -- I hack, therefore I am -- LPIC-2
