Very Computer

Hello y'all,

I'll soon be placing a couple OpenBSD systems in harm's way (connected
full-time to the Internet).  I've never before paid much attention to
intrusion detection and such, but I'm more worried about it now.

At any rate, I've been considering three systems to help me monitor my
Internet-connected systems: OpenBSD's bundled mechanisms (mtree and the
/etc/security script), COPS, and Tripwire.

Except for maybe the Kuang expert system, it seems to me that COPS
doesn't do much more that OpenBSD's /etc/security script.  It's also not
clear to me what (if any) extra features that Tripwire provides would be
worth spending cash on.  It also doesn't help that Tripwire isn't
supported on the *BSDs either, though it might run under Linux
compatability mode.

So should I just spend time with mtree, or investigate the other
packages?  Any suggestions are welcome.

Later,

James Graves

--
_______________________________________________________________________________
http://www.xnet.com/~ansible                       Rapture.  Be Pure. - Blondie

JG| So should I just spend time with mtree, or investigate the other
JG| packages?  Any suggestions are welcome.

Tripwire 1.2 is free and works on OpenBSD with few modifications.
It can be retrieved from ftp.cert.org and costs nothing...

--
I argue very well.  Ask any of my remaining friends.  I can win an
argument on any topic, against any opponent.  People know this, and
steer clear of me at parties.  Often, as a sign of their great respect,
they don't even invite me.

(But I'm becoming cynical.  I've been mentioning this idea for about 3 years,
and noone's finished it yet).

--

Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions.  OpenBSD is Free Software.

Quote:>I would love it if people sat down and finished our mtree, with minor
>little tweaks here and there, so that it would be a complete
>alternative to tripwire.

James Graves
--
_______________________________________________________________________________
http://www.xnet.com/~ansible                       Rapture.  Be Pure. - Blondie

Quote:>I would love it if people sat down and finished our mtree, with minor
>little tweaks here and there, so that it would be a complete
>alternative to tripwire.

>(But I'm becoming cynical.  I've been mentioning this idea for about 3 years,
>and noone's finished it yet).

--

--

It's also not clear to me what else Tripwire does that we really need.
I'm sure it has nicer reports and such.  And it appears that the
handling of the specification files is better and with more features (for
example it'll encrypt it for you automatically).  For the specs, I'm
planning to use removable media instead.

Reporting and such aren't that important to me (a diff of old vs. new is
fine).  Is mtree + /etc/security missing any other basic functions that
Tripwire has?

James
--
_______________________________________________________________________________
http://www.xnet.com/~ansible                       Rapture.  Be Pure. - Blondie

The problem with md5 is that you can purposefully make binaries with
alterior motives have the same md5.  Thus my suggestion of sha1, or something
similar. This is why ports has added sha1 to the tree as a check on the
downloaded source.
--

: The problem with md5 is that you can purposefully make binaries with
: alterior motives have the same md5.  Thus my suggestion of sha1, or something
: similar.

   How is this different from the keyword sha1digest in the current mtree?

   Adam