From owner-freebsd-security  Thu Dec 10 16:40:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA17446
          for freebsd-security-outgoing; Thu, 10 Dec 1998 16:40:47 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (p38-max11.wlg.ihug.co.nz [209.78.48.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA17409
          for <freebsd-security@FreeBSD.ORG>; Thu, 10 Dec 1998 16:40:39 -0800 (PST)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with ESMTP id NAA19969;
	Fri, 11 Dec 1998 13:35:22 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 11 Dec 1998 13:35:21 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Charles Reese <reese@chem.duke.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: tripwire was Re: append-only devices for logging
In-Reply-To: <1.5.4.32.19981210230102.00743b60@chem.duke.edu>
Message-ID: <Pine.BSF.4.05.9812111312140.14530-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 10 Dec 1998, Charles Reese wrote:

> Can tripwire be modified to compare two databases rather then one data base
> and the current files?  I ask because I monitor some systems remotely and I
> would like to be able to automatically generate a tripwire database on the
> remote system, ftp it to my local site and compare it with a previously
> created database that I have stored here on read-only media.  It is not
> possible for me to use read-only media on the remote machine.

Check out L5 from Hobbit.  From the README:

  L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or
  "find" would, generating listings of anything it finds there.  It tells
  you everything it can about a file's status, and adds on the MD5 hash of
  it.  Its output is rather "numeric", but it is a very simple format and
  is designed to be post-treated by scripts that call L5.

Find it at any good archive of security tools.

If file transfer is much of an issue, you can just compare an md5 summary
of the entire file and only transfer the whole file when there's a
discrepancy.  

Without read only media, you are vulnerable to someone putting a trojan in
place of tripwire, L5, or whatever else you are using  If you've got a
floppy on hand but it's not big enough for complete sets of checksums
then put your checksumming system and summary hashes there.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message