Yes, tools like diff and md5 would work and I expect will form the components of any solution. I figured that one of the popular IDS mechanisms might be well tuned for this use case, and that there'd be some folks on list using some similar solution (hand-rolled or of an existing project).
Things like tripwire, rkhunter, etc focus on system binaries by default (some - I forget which - even go so far as to add a signature to the ELF header). If they're focused on binaries, they may not be so capable when handling executables for the web (by which I mean *.php and friends). Differences that spring to mind for web-based executables are: the large number of cross-referenced include files; ability to exclude cache directories (eg apps which generate cache-xxx.php files in a specific directory); different maintenance requirements of accepting (or not!) the fact that a customer has just uploaded 112 .inc and .php files when they downloaded phpbb2. So - my target here is easier management of a server where another admin is installing sites and modules of a popular CMS (and I'd like to be notified of what's being added), and notification if an intruder modifies any existing file as well. --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
