On Fri, Jan 4, 2013 at 9:06 AM, Anton Aylward <opensuse@antonaylward.com> wrote:
Greg Freemyer said the following on 01/04/2013 08:56 AM:
Tripwire used to be the recommended tool, but no longer is. Google "opensuse tripwire" and you can probably find a sentence naming the new tool.
You are thinking of AIDE, which is a IDS.
You're correct. Here's the opensuse doc for anyone that cares: http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.ai... As to the original question, note these configuration options: md5 - Check if the md5 checksum of the file has changed. sha1 - Check if the sha1 (160 Bit) checksum of the file has changed. So one of the things malicious people/software do is replace important files. By monitoring for changes of those 2 it lets you know when a has changed. fyi: md5 is known to be cracked. It is relatively easy to take any random file that has enough "dead" space and have a program manipulate that dead space to force an overall md5. I am not aware of a similar issue with sha1. I recommend using both methods simultaneously. I doubt it will ever be possible to manipulate a file to match both a given md5 and a given sha-1 simultaneously. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org