|
Home > Archive > Unix administration > January 2004 > AIDE ( replacement for tripwire ), checking for rootkits / modified
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
AIDE ( replacement for tripwire ), checking for rootkits / modified
|
|
|
|
I am in the process of removing root privileges from developers ( It's a
long story, but it has been like that before I even cam started working
with the company ).
Since the developers still have root access ( otherwise, their apps will
not run ) until after I have configured everything correctly so that
their apps need need to run as root, there is always the possibilility
that either
a) someone has already modified the system binaries, or installed
rootkits, etc ....
b) or will do so just after I a check is done but before I revoke root
privileges from them.
I would want to be able to know:
If any rookits are installed before or after I have denied everyone else
root privileges ... check if the Solaris binaries in /usr ... /bin ...
etc... are what they are supposed to be.
( I suppose I can run pkgchk, but if the package itself in /var/sadm/
.... has been modified to make be believe nothing has been altered, it's
another story. )
Which one do most of you use? Nessus ? etc. ?
Is there a way to check the binaries programatically against's Sun's
website or something like that ?
Now assuming everything was fine even after root privileges has been
revoked from them, I am thinking of then using AIDE
http://www.cs.tut.fi/~rammer/aide.html
Anyone with experience with it to provide some feedback ?
Is it worth it ?
|
|
|
|
|