[rescue] SGI fw_sshd and security
Phil Stracchino
alaric at caerllewys.net
Sun Mar 7 16:17:29 CST 2004
On Sun, Mar 07, 2004 at 05:03:09PM -0500, Dave McGuire wrote:
> At Digex, we had a really great scheme going. We did rdist verify
> passes every night, from our proto machines which were as locked-down
> as we could make them. Now, if you're familiar with rdist, you know
> that in verify mode it sends each file down and then does a
> byte-for-byte compare. That'd be a tremendously expensive operation to
> perform on, say, six hundred SPARCstations. We made a nice little mod
> to rdist in which the MD5 checksum is sent down to the target machine
> and verified. I think that may have actually made it into the main
> rdist source tree but I'm not sure. It was *cool*.
It's probably appropriate to mention at this point that Bacula, the
enterprise backup system I've been testing and occasionally helping
bugfix for the last two years, has a built-in feature to do this. It
routinely checksums every file it backs up in any case (either MD5 or
SHA1, selected by a configuration option). Having that basis already
there, it was a simple step to allowing you to create a fileset in your
catalog containing the files you want to monitor, then just do a
verify-to-catalog each night to warn you of any changes in size,
checksum, permissions, ownership and/or create/modify dates. Backup and
tripwire-like functionality in one tool.
--
.********* Fight Back! It may not be just YOUR life at risk. *********.
: phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
: alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net :
: 2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold) :
: Linux Now! ...Because friends don't let friends use Microsoft. :
More information about the rescue
mailing list