From owner-freebsd-security  Thu Jun  1  8:42:14 2000
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id 02CE237BDCB
	for <freebsd-security@FreeBSD.ORG>; Thu,  1 Jun 2000 08:42:08 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA37965;
	Thu, 1 Jun 2000 11:41:58 -0400 (EDT)
	(envelope-from wollman)
Date: Thu, 1 Jun 2000 11:41:58 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200006011541.LAA37965@khavrinen.lcs.mit.edu>
To: Robert Gash <gashalot@gashalot.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Recommendations for alternative tripwire options
In-Reply-To: <Pine.LNX.4.21.0005312208000.32087-100000@raq.tabernae.com>
References: <Pine.LNX.4.21.0005312208000.32087-100000@raq.tabernae.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Wed, 31 May 2000 22:15:08 -0400 (EDT), Robert Gash <gashalot@gashalot.com> said:

> Has anyone found any decent systems like tripwire available under the GNU
> GPL?

You are asking this on a FreeBSD mailing-list?

In any event, try (in 5-current and 4-stable):

	# mtree -ciK md5digest,sha1digest,ripemd160digest -p / \
	> >my.file.list

To check, use:

	# mtree -p / my.file.list

You will probably find a significant number of files which are
expected to change; you'll want to list these in a separate file and
regenerate the list using the `-X' option.  (You'll then also want to
check the list using the same option.)  At some point, I'll try to
come up with a list which could serve as a starting point.

Here is an example of what the specification file looks like:

#	   user: wollman
#	machine: khavrinen.lcs.mit.edu
#	   tree: /
#	   date: Thu Jun  1 11:36:55 2000

# .
/set type=file uid=0 gid=0 mode=0755 nlink=1
.               type=dir nlink=24 size=1024 time=958576737.0
    .cshrc          mode=0644 nlink=2 size=653 time=958576718.0 \
                    md5digest=7f38e672eedf928898b502e591f00c50 \
                    sha1digest=a2bf06ffb1c8478fdf898e6b748c4f48f2fa8b72 \
                    ripemd160digest=24e07e45d56f8b7eafdc48e7063f21ac2aa4de62
    .profile        mode=0644 nlink=2 size=251 time=948741779.0 \
                    md5digest=5cda7079d26225afa62d327ed5675cc5 \
                    sha1digest=efb1d360dc4643341466976cfaa009324a7f713b \
                    ripemd160digest=7449907dda3d6ed151c1aa5ebe697ff3ace61454
[...]
    kernel          mode=0555 size=2397703 time=958575176.0 \
                    md5digest=386cabf8174df13f02c447f0481723dc \
                    sha1digest=6e599333455b1bd469a23ac1ea0aa7675d4cb0b2 \
                    ripemd160digest=885928f0e37675bbe2bf1277b06ca743576265d4 \
                    flags=schg

[rest of the specification deleted]

-GAWollman



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message