Monitoring changes to core FreeBSD

[balanga]

Is there any way to monitor changes to the core OS which was installed? ie any changes to the filesystem excluding /mnt /root /usr/local /var

 

[unitrunker]

Do you mean freebsd-update?

 

[balanga]

No, I don't want to update, I just want to see what, if anything has changed since the initial installation.

I realise that /etc/passwd /etc/fstab and /etc/rc.conf are likely to have been changed, but was wondering if it is possible to compile a list.

 

[unitrunker]

There's a daily or weekly security cron job that reports on some files. I don't know how comprehensive this is or if the scope can be expanded to cover more.

freebsd-update tells you what it is about to change - which is pretty much everything. There is also an IDS feature.

Chapter 26. Updating and Upgrading FreeBSD

Information about how to keep a FreeBSD system up-to-date with freebsd-update or Git, how to rebuild and reinstall the entire base system, etc

www.freebsd.org

See 23.2.4

May want to store the baseline elsewhere.

 

[balanga]

There's a daily or weekly security cron job that reports on some files. I don't know how comprehensive this is or if the scope can be expanded to cover more.

May want to store the baseline elsewhere.

I wonder if FreeBSD contains a baseline somewhere when it installs... or maybe I should create one on installation...although not sure how - maybe using mtree()....

 

[unitrunker]

Was I not clear?

# freebsd-update IDS > baseline.ids

 

[Lamia]

You may also want to check rkhunter, aide and the likes. These are all IDS/IPS solutions including the ones mentioned by others. I understand that you are not being specifically looking for such systems though. But they tell you want changes occur in your machine at an interval.