verify binary files
Kevin Buettner
kev@primenet.com
Thu, 22 Feb 2001 18:57:11 -0700
On Feb 22, 2:22pm, der.hans wrote:
> Am 22. Feb, 2001 schwäzte Kevin Buettner so:
>
> > On Feb 22, 1:09pm, Craig White wrote:
> >
> > > If I recall, someone listed a command that would verify and list any
> > > binaries that had changed - does anyone know what the command was?
> >
> > It depends on the distribution. On Red Hat systems, try ``rpm --verify''.
>
> That should work for any rpm-based dist, right?
Right.
> It'll cover anything installed from the package management system,
> but will miss the stuff installed from tarballs, etc.
Right again.
> Craig might be looking for tripwire, though. I think there's an Open
> Source package on Source Forge that does the same stuff as tripwire.
>
> I don't see a similar option for dpkg or apt-get. The /usr/ports stuff
> would have to use something similar to tripwire.
Can someone give me a brief primer on how tripwire is implemented? I
read somewhere recently that it uses a kernel module on linux and
basically watches for open() calls (where write access is requested)
on specific system files. Is this right or not?