From owner-freebsd-security  Tue Aug 12 08:57:24 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA00327
          for security-outgoing; Tue, 12 Aug 1997 08:57:24 -0700 (PDT)
Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA00320
          for <security@freebsd.org>; Tue, 12 Aug 1997 08:57:20 -0700 (PDT)
Received: (from ingham@localhost)
	by socrates.i-pi.com (8.8.5/8.8.5) id JAA01074;
	Tue, 12 Aug 1997 09:57:03 -0600 (MDT)
Message-ID: <19970812095702.20181@socrates.i-pi.com>
Date: Tue, 12 Aug 1997 09:57:02 -0600
From: Kenneth Ingham <ingham@i-pi.com>
To: Jeff Aitken <jaitken@aitken.com>
Cc: security@freebsd.org
Subject: Re: post-break-in checklist?
References: <199708120324.XAA27102@eagle.aitken.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.74
In-Reply-To: <199708120324.XAA27102@eagle.aitken.com>; from Jeff Aitken on Mon, Aug 11, 1997 at 11:24:34PM -0400
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> As far as FreeBSD goes, I've got the CDs and know about mtree, but
> I'm looking for a more generic "these are the sorts of things to
> look for if you suspect a security violation" just to be sure I'm
> not overlooking anything.  
While it's not a post-breakin tool, tripwire can help identify breakins.
The URL for Coast at Purdue (where it was developed) is: 
http://www.cs.purdue.edu/coast/

Kenneth Ingham