I'm thinking of making a disk using trusted binaries and a shell script to audit a linux box to see if it has been compromised. Heres what i have so far. Are there any problems with this, or other things i should look for?

Collect MAC times of files associated with integrity check and other affected files
date
uname -a
Run bash file integrity script
Check for rootkits especially LKM using ./chkrootkit -p /cdrom/bin and kstat -s -P -M
find S/GUIDs and compare with previous list
find suspicious directories/files ".*", " *", "* *" and compare with previous list
find new file in /dev and /bin by using diff
find accounts with no password, or new root accounts. Maybe any new accounts
find un-owned files, world-writable files and directories

You could check to see if any new ports have been opened.

___________________________________
Be prepared. Create a LifeBoat CD.
http://users.rcn.com/srstites/LifeBo...home.page.html

Steve Stites

Yeah thats definately a important thing to check but i figured i'd leave that off the disk and scan the host remotely with nmap since the results would be more trustworthy.

have you checked-out FIRE???

http://fire.dmzs.com/

Yup but i want a somewhat automated disk to detect a intrusion, FIRE is used more to investigate a intrusion.

Heres a few other tools that i will probably add to it

ftimes http://ftimes.sourceforge.net/FTimes/index.shtml
fcheck and dirscan http://www.geocities.com/fcheck2000/download.html

interesting stuff................Will you be posting the way the disk was made..for exampe all the steps needed and in what order to make this disk

Cheers