Date: Fri, 16 Jan 2004 01:09:16 -0500 (EST) From: Adrian Filipi <adrian+freebsd-security@ubergeeks.com> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: Jesper Louis Andersen <jlouis@mongers.org> Subject: Re: mtree vs tripwire Message-ID: <20040116010631.G32954@lorax.ubergeeks.com> In-Reply-To: <20040114182154.GA22444@sheol.localdomain> References: <20040114134215.GA21307@sheol.localdomain> <20040114182154.GA22444@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 14 Jan 2004, D J Hawkey Jr wrote: > On Jan 14, at 07:09 PM, Jesper Louis Andersen wrote: > > > > > This might seem really naive, but can mtree be used effectively as > > > a native-to-core-OS tripwire equivalent? Would it be as efficient in > > > terms of time-to-run and resource requirements? > > > > Pro: distributed with base > > Con: Only available for *BSD architectures as far as my knowledge goes. > > I'm aware of both, yes; hence my question. FreeBSD is all I'm dealing > with, where my question is concerned. > > Is your reply from personal experience, or is it the same "Hey, it > could..." as is my question? If the former, would you elaborate on the > implementation details? > > Thanks, > Dave The company I just left makes a security appliance, and we developed an mtree-based IDS. As others have mentioned, raw mtree and diff as-is leaves a lot to be desired. It's just not very conveneint. That being said, its works great now that we wrapped it all up in some wrapper scripts. Adrian -- [ adrian@ubergeeks.com ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040116010631.G32954>