On Feb 22,  2:22pm, der.hans wrote:

> Am 22. Feb, 2001 schwäzte Kevin Buettner so:
> 
> > On Feb 22,  1:09pm, Craig White wrote:
> > 
> > > If I recall, someone listed a command that would verify and list any
> > > binaries that had changed - does anyone know what the command was?
> > 
> > It depends on the distribution.  On Red Hat systems, try ``rpm --verify''.
> 
> That should work for any rpm-based dist, right?

Right.

> It'll cover anything installed from the package management system,
> but will miss the stuff installed from tarballs, etc.

Right again.

> Craig might be looking for tripwire, though. I think there's an Open
> Source package on Source Forge that does the same stuff as tripwire.
> 
> I don't see a similar option for dpkg or apt-get. The /usr/ports stuff
> would have to use something similar to tripwire.

Can someone give me a brief primer on how tripwire is implemented?  I
read somewhere recently that it uses a kernel module on linux and
basically watches for open() calls (where write access is requested)
on specific system files.  Is this right or not?