OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Daily sysadmin tasks
From: Ryan Permeh (RyanEEYE.COM)
Date: Mon Jun 26 2000 - 18:23:38 CDT

which is why i said to use perl. data reduction is an important part of
watching logs. reading raw logs on more than a couple machines is insane,
tripwire or not, besides, tripewire is not particularly useful in a system
where you do not have easy access to a read only/removeable partition, and
even if you do, tripwire is only as secure as the security of that store.

Integretity checking has been beaten to death by now in the various news
groups and mailing lists, so i'm not going to argue the merit or dismerit of
tripwire or any integrity checking system. All my initial note was
attempting to do was give a newbie a quick checklist of changed files in the
past day(sorry i forgot the -mount, i dont use much nfs:).

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Ed Arnold" <erapobox.com>
To: "Ryan Permeh" <RyanEEYE.COM>
Cc: <focus-sunsecurityfocus.com>
Sent: Monday, June 26, 2000 4:05 PM
Subject: Re: Daily sysadmin tasks

> On Fri, 23 Jun 2000, Ryan Permeh wrote:
>
> > put this in your root crontab:
> >
> > 0 0 * * * find / -mtime -1 -print | mail rootlocalhost
> >
> > ...
> >
> > It's almost always better to have too much information that not enough.
>
> No it's not. I monitor about a dozen systems with Tripwire and that's
> a real stretch for one person if you're really doing it diligently.
> Your find approach would so overload you, that you couldn't possibly
> use the output unless you were only looking at one or two lightly-used
> machines.
>
> BTW you had better use "-mount" and explicitly list all your filesystems
> to avoid NFS, if you're really going to use the above approach.
>
>