Tiny Core files protection

[etopeter]

Hi,
Im building tripwire box with Tiny Core and I need to setup policy file the Tiny Core way.

Could anyone tell me what files should I monitor for changes as a best security practice for TC linux?

[tinypoodle]

You'd have to be more specific.

Also... "tripwire box" is ambiguous - metaphor or app name??

[etopeter]

Im sure there may be different implementations of protecting core files.
In my case I want to setup Tiny Core box with Open Source Tripwire(http://sourceforge.net/projects/tripwire/). Tripwire in specific has very flexible policy rules that you can configure to your needs.
I want to know if there are files specific to Tiny Core distro that are worth monitoring.
For instance /opt directory .filetool.lst and shell scripts.
Thanks for your help.

[gerald_clark]

Core is just 2 files.  Monitor those plus anything you add.

[tinypoodle]

For what concerns extensions in a PPR,
http://forum.tinycorelinux.net/index.php/topic,7471.msg39709/topicseen.html#msg39709
might be a preferable method.

[netnomad]

hi friends,

perhaps AIDE is the right tool for you, the program is small (less than 1mb),lean and clean.
give it a try! i would be very pleased to find it in the rep one day
aide compares all changes to a database and reports them per mail.

http://aide.sourceforge.net/
AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.

for online monitoring i can recommend you inotify:
http://forum.tinycorelinux.net/index.php/topic,14113.0.html

keep on digging.

[Rich]

Hi etopeter
First you want to select the files you wish to protect from changes. Besides binaries, don't forget conf files.
Next you need to decide what action to take if one of those files gets modified. Most binaries and stock conf
files can be restored by simply rebooting. Your initrd and vmlinuz need to be handled separately. You
might package backup copies in a tcz. Upon detecting a change, load the tcz and copy them to their
default locations and then reboot. You also need to plan your backup strategy. If you have a conf file you've
customized and it gets modified, you don't want to run a backup on it before rebooting. If you have work
files in your home directory that you back up, you may wish to devise a way to back them up without backing
up system settings should they get modified.