hi mike, yah, i'm using integrit, but i really need to pare down what gets checked; the reports are next to useless since there's no way in hell i'm going to read the whole thing.
currently, i scan the output for binaries and wierd stuff like "..." or ".pfloyd". but often, the output is just so long that it's a token scan. not a concerted look. just need to find some time to spend with my integrit config files. actually, if anyone has played around with integrit, and has some custom config files, i wouldn't mind taking a look at what you have. btw, integrit is an open source version of tripwire. but as you point out, it prolly doesn't do me much good at this point. i have no idea when their breakin happened. only when it was discovered. :-( pete begin [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Not a direct answer to your Q, but related. > > After installation of packages, AIDE or tripwire can help to check for > file mods with md5 This does nothing for checking the package before you > install it though. :-( > > I dont know of a system to check for MD5 sums of all debain packages and > verify. There have been discussions about how to have cert signing of > packages, but who would be a central authority to sign packages? GPG > might allow for a decentralized, distributed signing system, but it has > drawbacks too. :-( > > In some ways, MD5 is not as secure as gpg signed packages, but imagine > the keyring! > > Sorry I dont have an answer for you, but I would like to see what other > people say. > > -ME _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
