Re: New monit web-interface

[Martin Pala]

Thomas Oppel wrote:
> Am Freitag, 12. Juli 2002 10:59 schrieb Christian Hopp:
>
> > On 11 Jul 2002, Jan-Henrik Haukeland wrote:
> >
> > > Christian Hopp <address@hidden> writes:
> > >
> > > > Wouldn't it be enough to check ctime first and if newer then last
> > > > cycle do a md5sum check.
> > >
> > > Yes another good idea, but..
> > >
> > >
> > > > Some server programs might come up to some megs.
> > >
> > > The check is pretty fast (for this type of application), aprox 0.07
> > > sec (cpu time) for 2 megs.
> >
> > So I did it myself... I home you find it still usefull.  Patch is against
> > last 2.5 beta.
> >
> > Bye,
> >
> > C.Hopp
>
>
> Hi,
>
> maybe I'm a bit paranoid, but is true an intruder now only needs to mangle 
> ctime that md5sums are never checked and monit helps to keep trojaned daemons 
> running?
> As a user I expect the program makeing use of it in any case, if I read md5sum 
> check in config.
> As a sysop I don't care for a bit less performance, if I get a bit more 
> security in return.
> Anyhow, if checking file integrity is a typical tripwire job, I'm glad for 
> every extra level of security I can get.
> So, what about a 'general' check every x cicles, that sums are checked at 
> least 2 or 3 times a day? Or a switch 'alwaysFullCheck=[true|false]' or such?
>
> Greetings,
> Leppo.

I agree with Thomas, it is less secure when checksum will depend on 
ctime. I think that solution outlined above (with configuration swith) 
will be useful to allow sysadmin choose check for every cycle (more 
security) or performance instead, such as:

[set checksumAlways {true|false}]

If not specified, true should be default (i think).


What do you think about it?


Martin