Date: Wed, 24 Feb 2016 21:38:46 -0800 From: Robert Ayrapetyan <robert.ayrapetyan@gmail.com> To: freebsd-security@freebsd.org Subject: Re: verify FreeBSD installation Message-ID: <56CE9366.7050302@gmail.com> In-Reply-To: <56cde2cd.8964420a.945d.5802SMTPIN_ADDED_MISSING@mx.google.com> References: <56CD2EE3.5080009@gmail.com> <56cde2cd.8964420a.945d.5802SMTPIN_ADDED_MISSING@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks everyone! On 02/24/16 09:04, Roger Marquis wrote: >> Hi. Is there any reliable way to verify checksums of all local files >> for some FreeBSD installation? E.g. I'm using a hoster which provides >> pre-deployed FreeBSD instances, how can I be sure there are no any >> patches\changes in a kernel\services etc? > > At the filesystem-level there's security/integrit which we use with a > wrapper script for readable reports. Integrit replaced tripwire when > that company moved away from FOSS. > > From the configuration-level there's 'pkg info', 'sysrc -a', 'ipfw sh', > ... and of course the parsed output from /var/log/* to add real-time > monitoring. > > I also recommend supplementing these tools with revision tracking for > anything host-specific and non-binary such as /etc/periodic/*/* and > /etc/rc.*. RCS works well for this on the localhost-level. On a large > scale ansible is my tool of choice for pulling this information from any > number of hosts into hg or git from which deltas and other reports can be > easily generated. > > If you manage a large number of hosts and are interested in helping to > pull all of these tools into a pkg/port let me know. > > Roger > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56CE9366.7050302>