LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-06-2003, 12:50 PM   #1
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
Tripwire


Im looking for an ids system to check my servers every day for changes. I already have snort looking for network traffic. I was planning to implement tripwire on a read-only protected floppy, but i noticed that isnt a very good policy to manage 28 servers
Anyone has an idea of an easy to change and install solution of an IDS program to check my systems frequently?
 
Old 06-07-2003, 06:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,943
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
You could raise your mana by having a central server which holds the signature databases (read-only partition, CDRW). AFAIK Samhain is the only package to offer that server-client model feature w/o helper apps. Aide can using "ICU", and tripwire seems to have a similar package.
 
Old 06-07-2003, 08:54 AM   #3
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Original Poster
Rep: Reputation: 30
ok, thanks. I will check this out.
 
Old 06-08-2003, 08:34 AM   #4
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Original Poster
Rep: Reputation: 30
Samhain looks cool, but there isnt an rpm for it. Do you know any more of those kind of programs? Because i rather use a rpm.
 
Old 06-08-2003, 09:37 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,943
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Coincidentally I helped someone a while ago on the rpm mailinglist to build the specfile for Samhain:

Code:
Summary: File integrity and host-based IDS
Name: samhain
Version: 1.6.6
Release: 1
License: GPL
Group: System Environment/Base
Source: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Provides: %{name}

%description
samhain is an open source file integrity and host-based intrusion
detection system for Linux and Unix. It can run as a daemon process, and
and thus can remember file changes -- contrary to a tool that runs from
cron, if a file is modified you will get only one report, while
subsequent checks of that file will ignore the modification as it is
already reported (unless the file is modified again). 

samhain can optionally be used as client/server system to provide
centralized monitoring for multiple host. Logging to a (MySQL or
PostgreSQL) database is supported.

This package contains only the single host version.

%prep
%setup -q

%build
# test installation
# for i in `seq 7`; do ./test.sh $i; done
./configure --prefix=${RPM_BUILD_ROOT}/usr \
            --sysconfdir=${RPM_BUILD_ROOT}/etc \
            --localstatedir=${RPM_BUILD_ROOT}/var \
            --mandir=${RPM_BUILD_ROOT}/usr/share/man
make 

%install
rm -rf $RPM_BUILD_ROOT
make install
# copy script files to /var/lib/samhain so that we can use them right
# after the package is installed
install -m 700 samhain-install.sh ${RPM_BUILD_ROOT}/var/lib/%{name}
sed "s|${RPM_BUILD_ROOT}||" < samhain.startRedHat > scratch_file
install -m 700 scratch_file ${RPM_BUILD_ROOT}/var/lib/%{name}/samhain.startRedHat

%clean
# rm -rf ${RPM_BUILD_ROOT}

%post
# Activate boot-time start up
cd /var/lib/%{name}
./samhain-install.sh --verbose install-boot

%preun
# remove boot-time scripts and links
cd /var/lib/samhain
./samhain-install.sh --verbose uninstall-boot

%postun
# remove any kernel modules that might have been installed
RVER=`uname -r`
rm -f /lib/modules/$RVER/samhain*

%files
%defattr(-,root,root)
%doc BUGS COPYING Changelog TODO
%doc LICENSE MANUAL-1_5.*.tgz README*
/var/lib/%{name}
/usr/sbin/%{name}
%attr(644,root,root) /usr/share/man/man5/samhain*.gz
%attr(644,root,root) /usr/share/man/man8/samhain*.gz
/etc/samhainrc

%changelog
* Mon Dec 16 2002 Andre Oliveira da Costa <brblueser@uol.com.br> 1.6.6
- First attempt to build from sources
 
Old 06-08-2003, 09:43 AM   #6
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Original Poster
Rep: Reputation: 30
great, thanks!
I will test this tomorrow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tripwire Obie Linux - Security 2 09-23-2004 04:22 PM
tripwire help spideywebsling Linux - Security 1 07-09-2004 04:57 PM
I need tripwire help Darkangel90 Slackware 2 04-22-2004 01:15 AM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 05:52 PM
Tripwire? janderson622 Linux - Security 2 05-01-2001 12:33 PM


All times are GMT -5. The time now is 11:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration