CentOS - Jun 2006 - Check integrity or rootkits on remote server?

Hello,

when one has physical access to a computer, he
can run something like tripwire, with keys and
checksum on a separate, write-only media, to
verify the integrity of the system.

What if the system is a remote one (in my case
Centos 4.3 on a User Mode Linux VPS some hundred
of KMs from here)?

Does it still make sense to run tripwire remotely?
If yes, how, since you cannot plug a floppy or USB
drive in the machine?

What if tripwire was never ran? Does it make sense, on
a Centos system without physical access, to download there
and run remotely one of those rootkit detection tools?
Would its findings be surely accurate?

Generally speaking, how does one handle these issues on
remote systems?
Thanks in advance for any comment,

Marco

I would run an integrity checker like tripwire, one alternative is aide
http://sourceforge.net/projects/aide. If you have another machine at the
same location then you could create an NFS share with read-only permissions
that you could mount and umount only when you are going to perform the
checks, just make sure that the directory on the remote machine has the
right permission set and is in an obscure directory. As far as the root-kit
detection tools, I don't see why you shouldn't run those too.

On 6/12/06, Marco Fioretti <mfioretti at mclink.it>
wrote:
>
> Hello,
>
> when one has physical access to a computer, he
> can run something like tripwire, with keys and
> checksum on a separate, write-only media, to
> verify the integrity of the system.
>
> What if the system is a remote one (in my case
> Centos 4.3 on a User Mode Linux VPS some hundred
> of KMs from here)?
>
> Does it still make sense to run tripwire remotely?
> If yes, how, since you cannot plug a floppy or USB
> drive in the machine?
>
> What if tripwire was never ran? Does it make sense, on
> a Centos system without physical access, to download there
> and run remotely one of those rootkit detection tools?
> Would its findings be surely accurate?
>
> Generally speaking, how does one handle these issues on
> remote systems?
> Thanks in advance for any comment,
>
> Marco
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060613/e4c59b2a/attachment-0002.html>

On Tue, Jun 13, 2006 06:32:03 AM -0600, Joshua Gimer
(jgimer at gmail.com) wrote:
> I would run an integrity checker like tripwire, one alternative is
> aide http:// sourceforge.net/projects/aide. If you have another
> machine at the same location then you could create an NFS share with
> read-only permissions
hmmm, no, unfortunately I only have that VPS in that location, and my
home pc here. How would I proceed to use (securely) from the VPS
a tripwire database stored here on my local computer? Only ssh would be
available

TIA,
	Marco



-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

Knowledge is not information, it's transformation- Osho

On Mon, Jun 12, 2006 at 03:57:11PM +0200, Marco Fioretti
wrote:
> Hello,
> 
> when one has physical access to a computer, he
> can run something like tripwire, with keys and
> checksum on a separate, write-only media, to
> verify the integrity of the system.
> 
> What if the system is a remote one (in my case
> Centos 4.3 on a User Mode Linux VPS some hundred
> of KMs from here)?
> 
> Does it still make sense to run tripwire remotely?
> If yes, how, since you cannot plug a floppy or USB
> drive in the machine?
> 
> What if tripwire was never ran? Does it make sense, on
> a Centos system without physical access, to download there
> and run remotely one of those rootkit detection tools?
> Would its findings be surely accurate?
> 
> Generally speaking, how does one handle these issues on
> remote systems?
> Thanks in advance for any comment,
Hello,

You may be interested in Osiris:
<http://osiris.shmoo.com/data/osiris-4.1.5.tar.gz>

It uses a client-server model to perform host integrity checking.
The osiris daemon on your VPS communicates securely with a
monitor console application at your location.

Come to think of it, it's a lot like how commercial alarm systems
work.

Also I have found both chkrootkit and rkhunter useful, they are
not as smart as a real person but may help warn you that you
should check the system like a check engine light inside a car...
> Marco
> 
- Mike