On Tue, Sep 12, 2000 at 12:00:58PM -0400, rpjday wrote:
> On Tue, 12 Sep 2000, Hal Burgiss wrote:
>
> > On Tue, Sep 12, 2000 at 09:54:30AM -0500, Jonathan Wilson wrote:
> > > I was just thinking. I know there's trip wire and stuff. but it would be
> > > neat to have cron run a script, that did md5sum "checks" on various things,
> > > and mailed you, if the sum changed on anything that's in it's list. Anyone
> > > have anything like that? I know practicly nothing about scripting, but how
> > > hard would that be to write? Seems like it would go something like this:
> > >
> > > For every file in /etc/this_script's.conf, do "$file /path/to/md5sum" >
> > > /var/log/today's_copy. and diff /var/log/today's_copy against
> > > /var/log/yesterday's_copy, if today's_copy != yesterday's_copy, mail root
> > >
> > > OTH maybe I'm just silly ;-)
> >
> > This is pretty much what tripwire does, but it checks more than
> > md5sum. You can config it for any list of files you want. If
> > everything is OK, there is no output. If run from cron, and there are
> > discrepancies, then root (or whoever) gets mailed the cron output.
>
> aha!! someone who professes knowledge of tripwire. so can you,
> or anyone else, explain just how the selection masks work. that is,
> why would one need to specify a set of masks like
> +pinug-sacm123456789
I know just to enough to install it, and seemingly do what I want. I
remember it being arcane alright. I just modified the examples in the
included config file. Which is pretty well commented IMO.
> what is the point of having to state *both* what you want included
> and what you want excluded? why on earth wouldn't you just want some
> sort of default behavior? and what happens if you deliberately
> omit some masks, so that you get
>
> +pin-sacm
Can you not set default for groups of files:
# Binary
@@define BINM E+pnugsci12
[...]
/bin/ps @@BINM
> what does this mean with relation to the other masks?
Good question ;) Most of this arcaneness is explained in the config
file I have. I am using tripwire-1.2-3 and looks like it was packaged
by RH. Don't recall where I got it. Probably 'rpmfind'.
> i've scanned the docs looking for a simple explanation and come
> up with zip. can anyone clear this up?
I'll mail my config file if you want. Maybe it is better commented
than what you have.
Eric --
I run it from a write protected floppy. I am only watching about 20
files so the databases is very small. inetd.conf is one. I think
anyone who breaks in will likely touch something on this smallish
list.
--
Hal B
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
