[rescue] SGI fw_sshd and security

Phil Stracchino alaric at caerllewys.net
Sun Mar 7 16:17:29 CST 2004


On Sun, Mar 07, 2004 at 05:03:09PM -0500, Dave McGuire wrote:
>   At Digex, we had a really great scheme going.  We did rdist verify 
> passes every night, from our proto machines which were as locked-down 
> as we could make them.  Now, if you're familiar with rdist, you know 
> that in verify mode it sends each file down and then does a 
> byte-for-byte compare.  That'd be a tremendously expensive operation to 
> perform on, say, six hundred SPARCstations.  We made a nice little mod 
> to rdist in which the MD5 checksum is sent down to the target machine 
> and verified.  I think that may have actually made it into the main 
> rdist source tree but I'm not sure.  It was *cool*.


It's probably appropriate to mention at this point that Bacula, the
enterprise backup system I've been testing and occasionally helping
bugfix for the last two years, has a built-in feature to do this.  It
routinely checksums every file it backs up in any case (either MD5 or
SHA1, selected by a configuration option).  Having that basis already
there, it was a simple step to allowing you to create a fileset in your
catalog containing the files you want to monitor, then just do a
verify-to-catalog each night to warn you of any changes in size,
checksum, permissions, ownership and/or create/modify dates.  Backup and
tripwire-like functionality in one tool.


-- 
 .*********  Fight Back!  It may not be just YOUR life at risk.  *********.
 : phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
 :  alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net  :
 :   2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)   :
 :    Linux Now!   ...Because friends don't let friends use Microsoft.    :



More information about the rescue mailing list