I am trying to put together an Intrusion Detection policy here at work. So far I have this general outline...
1. Check /etc/passwd and /etc/group files for root back-door
2. Use netstat and nmap to look at open ports. (this is of course utilizing tools that haven't seen the misfortune of a rootkit)
3. Run chkrootkit from
http://www.chkrootkit.org
4. Check my tripwire database
5. Browse all crontabs including cron.daily, cron.weekly, cron.monthly, etc... for odd entries(I guess tripwire would see this?).
Know of anything that I could add? What do you use for Intrusion Detection?
apps? links?
Thanks as always!