AIDE 0.15.12+squeeze and config file
Hi:
Before I start removing packages from Synaptic Package Mgr. I wanted to post this package because (think) it will be a help to my OS. This is what Synaptic gave in the description. Code:
AIDE 0.15. 1-2+squeeze1 Advancd Intrusion Detection Envirnment Static binary This package contains the statically linked binary for "normal" systems. You'll want to tweak the configuration file: etc/aide/aide.conf URL: http://sourceforge.net/project/aide What kinds of questions should I be going through to determine what packages I should install? And, what packages I should remove? I have an overwhelming amount of packages that are not installed and even though I read the descriptions sometimes I am unable to distinguish if they are really necessary or not. The other thing is that if I do install this AIDE for Intrusion Detection what exactly would I add to the config file that is associated with this application? This http://sourceforge.net is not in my sources.list; is it trustworthy? |
Quote:
Quote:
Quote:
Quote:
Code:
# The location and names of the databases and compression: * Do note that for AIDE to be effective you have to have a necessity for running it and your have to realize it is a passive, post-incident auditing tool. Passive here means it requires you to run it manually or using a cron job (compare with Samhain which runs as a daemon) and post-incident here means it does not prevent anything and can only alert you after the fact. The latter means the emphasis should be on prevention (machine hardening, binary, configuration file and database backup to detached, trusted media, use in conjunction with other auditing methods). Luckily distributions come with loads of documentation and Debian is home to one of the oldest but still relevant ones: the Securing Debian Manual. To gauge if the investment required is worth it ask yourself this simple question: in the event of a (perceived) breach of security, how much is an audit trail worth? Quote:
|
unSpawn:
You throughout answered my questions and provided me with what I needed: ie:) -aide@cs.tut.fi the mailing list; archives - the Debian website; Securing Debian Manual -Information regarding the configuration file -Emphasis on prevention And other good instruction and advice that I needed to hear; Thank You An audit to me is worth more than gold to me. I'm not in favor to vulnerabilities as I'm sure your not either. Which leads me to what you cautioned me on: Code:
which doesn't tell you about the integrity of a package's content I acknowledge the "no ironclad guarantee" It is tho my hope that Official repositories are good. I can't imagine a deliberate attempt to corrupt files but if I've learned anything from life; anything is possible- I will go and learn more about: Code:
AFAIK & IMNSHO You have been a good help to me again; Thank you:hattip: |
AFAIK- as far as I know...
And IMNSHO- in my not so humble opinion...got it- Perhaps I expect to much; but IMO they (Debian)should make authoritative order/injunctions over packages. But; I also don't have government experience. |
Quote:
Quote:
|
Indeed for now my machine is just a client so I don't have much concern for caution.
However, when I am ready to put my work online to make my living I will have to perform tasks and put emphasis on what I have learned from you today. I receive notification from Debian Security on a regular bases through e-mail so I feel I've made a good practice with that- I now am confident and well educated (thanks to you) to open Synaptic Package Manager and start making appropriate choices. You said: " Being able to use different verification methods will allay suspicions and establish validity for the other 1%" If there is more than one way to verification I will resuscitate that when I am finished building my online business website. You are good at what you do unSpawn; the time you have taken to teach me what I needed to learn is appreciated; Thank You |
Quote:
Quote:
Quote:
Quote:
- Distribution, repository and package GPG-sig checking (also see sig revocation), - package hash and package content hash check, - package (content) (hash) check against packages downloaded from different mirrors, - package contents diff against official CVS/GIT/whatever else source, - CVS/GIT/whatever else commit logs (see the kernel.org explanation), - asking distro / infrastructure SO's, repo maintainers, software developers or fellow users, - running the package in a sandbox (file system and network access, tracing system calls), - "odd" system log messages, * I'm probably forgetting something. When using official packages you'll enable whatever verification your distributions package management offers and you'll implicitly trust the distro or repo owner to act responsibly. Which options you choose is best dictated by the situation. If you think something is odd then it is your responsibility to check things out (and that includes ignoring sheeple who tell you "not to worry", "think everything is OK" or call something "overly paranoid" w/o backing up their claims with accurate, authoritative, factual information). |
Yes, indeed, I do make backups.
And like you said and I'm not just agreeing because you've mentioned it but I have made an investment. A very big investment one I've dedicated myself to for the last 12 years; 3 in which using Linux has greatly improved my skills. GIMP will be my number one application when I open my new Studio and I'll let you know when I start up the project. Starting a new business and using Linux to do it is going to be amazing! You said:;" If you think something is odd then it is your responsibility to check things out (and that includes ignoring sheeple who tell you "not to worry", "think everything is OK" or call something "overly paranoid" w/o backing up their claims with accurate, authoritative, factual information)." This to me is a Big Red Flag that something is Not Right and all the more reason for me to investigate. |
Quote:
And see if the library has "Maximum Linux Security" Attackers Guide To Protecting Your Linux Server And Network" ISBN 0672313413 July 1999. I think it's paperback- |
I'm not a security expert, but I always install rkhunter right after performing a fresh install and configure it to update the files properties database every time dpkg/apt-get/aptitude/synaptic run. This way I can know if a file has been altered without the package managers' intervention (and it can also scan for known rootkits).
Of course, it alone may not be 100% infallible, but I think it may be used in combination with other tools and the methods suggested above by unSpawn. |
This "rkhunter" is new to me. I'll look in Synaptic and see if it's there.
I'll have to learn more about the how to configure applications in order to do as you have. I'm still going through the learning process. Thanks |
You can install it through Synaptic, and after installing it (and having closed Synaptic), execute (as root):
Code:
dpkg-reconfigure rkhunter Code:
rkhunter --propupd Code:
rkhunter -c |
Odiseo:
I wrote down your instructions and know what to do now if Code:
rkhunter gives a false positive Thank You |
If you get some warning with rkhunter, you shouldn't automatically assume that it is a false positive. In my case, I supposed it was a false positive because I received this warning in a freshly installed system with little chances of being infected and a web search returned some info suggesting this (link). If in doubt, it's always better to investigate or resort to the forum (LQ has a security subforum).
Regards. |
Ok; now I understand; It is not wise to assume and when I have doubt or am suspicious I will investigate.
The last thing I want (I'm sure I speak for many) is a breach in security. Thank you for helping me; have a good weekend. Sincerely, Ztcoracat |
All times are GMT -5. The time now is 04:09 PM. |