Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is why I say for OPs to test the software they have questions about and decide on their own. Their own testing should weigh more than internet suggestions, IMO.
The OP asked "which is preferred" by the internet community. So, here is some original research:
Googled: linux aide hids good
940,000 results
Googled: linux tripwire hids good
427,000 results
So, based on this scientific method, it's official that AIDE is more preferred by the internet.
Last edited by szboardstretcher; 04-29-2011 at 02:04 PM.
Reason: Having some fun.
The OP asked "which is preferred" by the internet community. So, here is some original research:
Googled: linux aide hids good
940,000 results
Googled: linux tripwire hids good
427,000 results
So, based on this scientific method, it's official that AIDE is more preferred by the internet.
Yes, I know what the OP asked for. Preference might not get him what he wants in the end, though. There've been soooo many "what do you guys think of A vs B" on these forums that it is just flat-out crazy to assume that everyone will always be willing to offer their 2 cents without OPs doing a bit of homework first...right? Because you REALLY don't have any idea of the criteria that the OP may need to consider the product a good fit for his network environment.
A Google query on counted hits isn't a fair assessment, IMO. I fail to see what's scientific in relying on Google to show a hit count of what's preferred based on a few rather raw key words.
The LQ Sec forum should be attempting to educate people regarding security. The first step should be to push them to evaluate for themselves, also, based on the information they researched and asked about. Sort of similar to any advocacy program. It shouldn't have anything to do with preference, really. What it will come down to, if this place pushes preference, is that someone will ask for preference of a given security product, that someone installs it based on preference and without doing their own research or testing, then blame these forums later because we advocated the product that broke that someone's network. Some of the posts in this thread were really good, offering pros and cons. Others are, to be honest, not really informative.
I hope this isn't coming off as rude, because that's not the point. If all we were to do was give our preferences, we aren't really serving anything.
** Yeah, I saw you were having fun. Sorry I misinterpreted it a bit.
S'OK. I just wanted to inform that the security industry considers it to be a HIDS. In the raw sense, it is. Many US government agencies use Tripwire devices as HIDS. Although the features are limited, the agencies usually don't need something full-blown in such a tool, especially when they tend to interlace the network with other security tools that offer the capabilities they need.
The jist of it is that it depends on the user's needs. If all they need is file integrity checking and they already have a suite of tools that meets their needs in securing a network, Tripwire might just fit the bill. But to state that it isn't a HIDS because it isn't rich in features compared to similar tools...that's a bit of a reach. No offense. That's like saying that, compared to Sguil, BASE isn't a SEM because Sguil has more options. That's not quite fair.
This is why I say for OPs to test the software they have questions about and decide on their own. Their own testing should weigh more than internet suggestions, IMO.
Yeah, I understand file integrity checkers are considered a HIDS by many. However, by that same definition, ClamAV, rkhunter, and a home made script that just checks whether a NIC is in promiscuous mode can be considered HIDS. Calling tripwire a File Integrity Checker/Verifier to me is just more accurate, and is used to distinguish it from software that is in another league like Samhain and OSSEC as far as capabilities.
I make the same kind of distinctions when talking about NIDS. I wouldn't like to call something like Ngrep or PADS used to detect attacks a NIDS either, because as far as features and capability go it can't compare with something like Snort.
Quote:
That's like saying that, compared to Sguil, BASE isn't a SEM because Sguil has more options. That's not quite fair.
Richard Bejtlich quote: "If you want to sort Snort alerts in a Web browser, BASE is great. If you want to use Snort alerts as one possible beginning of a network security investigation, Sguil is essential."
** Yeah, I saw you were having fun. Sorry I misinterpreted it a bit.
Looks like it. But thats not a crime.
Quote:
Originally Posted by unixfool
It shouldn't have anything to do with preference, really. What it will come down to, if this place pushes preference, is that someone will ask for preference of a given security product, that someone installs it based on preference and without doing their own research or testing, then blame these forums later because we advocated the product that broke that someone's network.
Then we are all going to have to get together and re-train the *entire* world, 5+ Billion People, to base decisions off of their own research, rather than other peoples opinions.
And, the paid version of Tripwire is my preference.
After reading the about the paid version of tripwire it seems that aside from being a file integrity checker- it is a lesser version of selinux and just another logger being an alternative to syslog. am i wrong on this?
Also, Splunk is just a manager for log files that gives charts, guis, and logrotate-like functions. I don't think Splunk has much do with being a file integrity checker or a IDS at all.
Splunk is nice. I will warn you though, if you use the trial version, and go over 500MB, it WILL DELETE ALL OLDER ENTRIES. So, you are really, really, really screwed if you were testing it in a production environment and got hacked and went over your limit. Just an FYI for anyone interested
This is completely untrue. And in fact if you do go over your limit you get a warning message for the next 14 days. It does not delete any data and it does not stop indexing.
After reading the about the paid version of tripwire it seems that aside from being a file integrity checker- it is a lesser version of selinux and just another logger being an alternative to syslog. am i wrong on this?
Also, Splunk is just a manager for log files that gives charts, guis, and logrotate-like functions. I don't think Splunk has much do with being a file integrity checker or a IDS at all.
Here are some videos on Splunk that show what it's for, but remember the free version is limited. This blog post shows how it's related to OSSEC.
I'm only saying OSSEC or OSSEC + Splunk is a possible solution that might work for you. Like what unixfool said, if Tripwire doesn't cut it, then it's up to you to try out other suggestions and decide which one works best in your environment.
Then we are all going to have to get together and re-train the *entire* world, 5+ Billion People, to base decisions off of their own research, rather than other peoples opinions.
If the 5+ billion people visit here, yes. If the goal is to educate people, sooner or later, they're going to have to try things on their own. I know the LQ Sec forum charter...I know what the mods are looking for in making these forums THE security forum for Linux. There's nothing wrong with having posters conduct their own investigation as to what would be a preferred tool. Opinions are OK, but that's all they are, and I'm sure you know that saying about opinions. Sometimes, more than opinions are needed.
Can you imagine a place that had visitors that never conducted research before asking questions? Oh yeah...that's most of the internet forums! There's no reason why we can't be a bit different here.
You definitely can't just go off of opinion only when in a work environment...you'll eventually get fired or let go.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.