You are looking for what's sometimes called a HIDS (Host Intrusion
Detection System).
One traditional approach is to maintain a database of checksums and
permissions of important files offsite using something like samhain,
aide, tripwire or so on. Tiger is a little/no-config install, but it
still has some old-fashioned ideas about what should be considered
suspect. OSSEC is definitely something worth looking at if you have
time to learn it. Some reliability-oriented monitoring tools like
Nagios and Monit, logwatch and some NIDS (Network IDS) can also be
used for what you need. chkrootkit is the usual way to find, well,
rootkits :)
There isn't really a one-size-fits-all commercial solution for HIDS in
the linux world, but Symantec will sell you SESA for redhat if you
have the budget. I prefer to find a mix that works for each situation,
because I can estimate what trade off between early warning and false
positives can be afforded. Also, too much IDS can be a liability as
well.
The "enumerating badness" idea of AV software can't ever really apply
in a FOSS environment as the relevant people can patch $hole instead
of trying to create a spotters guide to everything (that they know
about) that exploits it. As such one of the more successful virus
vectors for Linux has been in making repository commits to
understaffed l10n projects, though this is still exceedingly rare.
--
steev
http://www.daikaiju.org.uk/~steve/
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
