From owner-freebsd-hackers  Mon Aug 12  3:39:11 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CB7B237B400
	for <freebsd-hackers@freebsd.org>; Mon, 12 Aug 2002 03:39:08 -0700 (PDT)
Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [212.135.138.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB1A643E6A
	for <freebsd-hackers@freebsd.org>; Mon, 12 Aug 2002 03:39:07 -0700 (PDT)
	(envelope-from fanf@chiark.greenend.org.uk)
Received: from fanf by chiark.greenend.org.uk with local (Exim 3.12 #1)
	id 17eCbL-00077B-00 (Debian); Mon, 12 Aug 2002 11:39:07 +0100
Received: from fanf by chiark.greenend.org.uk with local (Exim 3.12 #1)
	id 17dHyn-00054O-00 (Debian); Fri, 09 Aug 2002 23:11:33 +0100
Date: Fri, 9 Aug 2002 23:11:33 +0100
From: Tony Finch <dot@dotat.at>
To: freebsd-hackers@freebsd.org
Cc: dot@dotat.at
Subject: using mtree as tripwire
Message-ID: <20020809231133.D1697@chiark.greenend.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

I've been playing around with using mtree as a lightweight replacement
for tripwire, and it seems to work quite nicely. There are a few bits and
pieces: (1) a patch to make the -X exclude-file facility slightly more
flexible and easy-to-manage; (2) a script for creating the mtree spec
file containing all of the checksums; and (3) an /etc/periodic/security
script to do the mtree checksum comparison with reality.

I've parametrized (3) with a command for obtaining the spec file, for
people who keep it on a remote machine etc. so obviously (2) should have
a corresponding option. I suppose it could get it from periodic.conf
but that's a bit ugly since it isn't a periodic script. Does anyone have
any better ideas?

I'd also like to optionally run (2) as part of the installworld process,
and maybe include it as part of the standard distribution. I'm currently
keeping the file in /var/db/; I'm not sure whether or not that's better
than /etc/mtree/ -- it's over 7MB on my machine which is probably an
important consideration.

The patch to mtree and some of the scripts can be found at
http://people.FreeBSD.org/~fanf/FreeBSD/

Tony.
-- 
f.a.n.finch <dot@dotat.at> http://dotat.at/
SOUTH FITZROY: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6 AT FIRST.
RAIN OR DRIZZLE AT TIMES. GOOD OCCASIONALLY MODERATE.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message