Aide or Tripwire?
 

Which one is more preferred, Aide or Tripwire? Doing some googleing I found posts on one versus the other but the posts were really old and outdated.

The best way to make an informed decision on which is better would be to install both (on separate systems, of course). Monitor their performance, compare results, and decide.

+1

I liked aide better than tripwire, but as unixfool said try them and decide for yourself. Also another good choice is samhain.
As you see it does many other things besides integrity checking and it is very good. Try this one too.

The thing that bothers me about aide is that the db file isn't really protected and they suggest keeping it on a seperate device along with it's bin files for protection. From what I read, Tripwire requires a key for it's db and it's also crypted. Has Aide updated to this also?

Isn't Samhain a fork of Snort? I was planning on installing snort so wouldn't make since to have them together, right?

No. There's no relation between Snort and Samhain.

There are ways to get the same functionality out of aide.

However I would say encrypted or not your database should be kept on read only media and stored safely.

nomb

P.S. - I do want to +1 samhain though. Or Osiris if you want to be able to handle it from a server/client perspective.

Hmm. Sounds like the school of Thomas Edison.

As far as the debate... Tripwire has a full-out commercial version, http://www.tripwire.com/, which really puts AIDE to shame.

But, as for me, I use AIDE because I can't afford that expensive crap. Plus, I never install aide ON the computer that I run it on. I always transfer a fresh copy over to run and spit out a database, and compare it to a known good one. I do this because really, if you are an 3LiT3 HaX0R, the first thing you will notice is that crontab -l has /bin/aide in it which would lead you to modify that /bin/aide to ignore any changes it finds and spit out an "Everything is OK" message.

So, TripWire is WAYYYYYYYYYYYYYYYY better, if you pay for it. But Aide is small and portable and gets part of the job done.

I went ahead with aide since it was free and it seems to have the same options(except cryptic database) as the open source tripwire(maybe a few more options really since tripwire made the open version pretty bare).

I see your point and that is what i was concerned about. What I did was i transfered the aide config file, binary(i run this copy), and database to a thumb drive and just plug it in and do a check/update when i feel like it(personal home pc). Does this sound like a good solution?

I wouldn't mind trying samhain out if gentoo would make a working ebuild for it. Samhain seems to leave the commercial version of tripwire in the dust(unless i'm miss reading the features).

Tripwire AFAIK just a file integrity checker. Samhain is a Host-based Intrusion Detection System. An alternative to Samhain is OSSEC, which is another open source HIDS.

OSSEC's dashboard is a laugh though. It hasn't been updated in 3 years, and is pretty useless.

Samhain's Web Interface is spiffy though.

Actually, OSSEC's dashboard is the closest thing to completely pointless as tatas on a tree.

You're right in that OSSEC has pretty much abandoned their "dashboard," but they've done so in favor of using things like Splunk or SGUIL instead. I haven't tried Samhain, maybe I should. It looks like it has come a long way.

Splunk is nice. I will warn you though, if you use the trial version, and go over 500MB, it WILL DELETE ALL OLDER ENTRIES. So, you are really, really, really screwed if you were testing it in a production environment and got hacked and went over your limit. Just an FYI for anyone interested.

Thanks for mentioning SGUIL. That looks like a decent program for analysis.

Tripwire is actually considered a HIDS. It monitors for system changes. Checking for file integrity is still monitoring system changes. Samhain and the others just use different methods of detecting changes. They're all HIDS, as they monitor for intrusions on the hosts they're installed on.

@szboardstretcher I forgot to mention that limit on the free version of Splunk, thanks.

@unixfool Maybe, but file integrity checking is just one way to monitor a host's security. Tripwire just seems too limited and calling it a HIDS to me is kind of like calling AV software a HIDS. Personally, I just think of a HIDS as having more functionality than just file integrity or just AV scanning. It's really just semantics, though.

S'OK. I just wanted to inform that the security industry considers it to be a HIDS. In the raw sense, it is. Many US government agencies use Tripwire devices as HIDS. Although the features are limited, the agencies usually don't need something full-blown in such a tool, especially when they tend to interlace the network with other security tools that offer the capabilities they need.

The jist of it is that it depends on the user's needs. If all they need is file integrity checking and they already have a suite of tools that meets their needs in securing a network, Tripwire might just fit the bill. But to state that it isn't a HIDS because it isn't rich in features compared to similar tools...that's a bit of a reach. No offense. That's like saying that, compared to Sguil, BASE isn't a SEM because Sguil has more options. That's not quite fair.

This is why I say for OPs to test the software they have questions about and decide on their own. Their own testing should weigh more than internet suggestions, IMO.