What's your favorite host-based security tool?

--jeremy

Rootkit Hunter, not that it gets used a lot.

Sorry, yes none of these get used "A Lot", in my world.

Then again, as we Linux User's communicate with Window's Users I feel we have a responsibility to 'keep clean'.

I have installed, and have at times used Avast! for Linux (Free), as insurance.
http://www.avast.com/linux-home-edition

Then again there is a case that Window's users would supposedly be well secured just by the nature of their hostile environment, so nothing installed from the list at the moment !

Bastille you sure? I think is dead...SNARE may be would be here... Osiris still alive? I don't use in a long time since I changed to OSSEC. My vote is for OSSEC, certainly I used AIDE too.

Ohh! man I was searching for this because currently I'm working on AIDE, Samhain and OSSEC

To be honest AIDE is really good but it's old and it comes to Samhain and OSSEC.
Personally both of them are good and have centralised server and monitor it's client.

As far as I'm familiar. I would choose samhain and OSSEC is not that user friendly.
But let's not forget SElinux as well but I vote for samhain......

I like SELinux. So many people see it as just a hassle and turn it off, but if you take the time to learn it, it's a useful tool.

SELinux is useful to me because it forces me to think through things and secure things in a way that makes sense. SELinux doesn't so much prevent intrusion as much as it forces me to set up services in a way that is secure in the first place. If you do something stupid, SELinux will most likely catch it.

I really tried learning SELinux. I just can't wrap my head around the conceptualization the wiki and SELinux book from the wiki feed you. This nonsense about recipes... it makes it harder to translate to practical working knowledge.

However if you know a better source then I would most definitely take another look since I do happen to like SELinux.

It's hard to say what resources I used to learn SELinux. I've been running it since Fedora core 2.

It's mostly just about contexts. The context on the file must match what you're doing with the file.

You might try running SELinux in non-enforcing mode ('setenforce 0') and examine file contexts. Do this with 'ls -Z'. For instance everything in /var/www/html has the context:

system_u:object_r:httpd_sys_content_t:s0

The last part is usually the only thing that's important: 'httpd_sys_content_t'. Apache can't serve any content that doesn't have this type set, even if it has read access. If you copy a file to /var/www/html, context should be set for you automatically. If not, you can do 'chcon <file> -t httpd_sys_content_t' to fix it. Or you can do 'restorecon <file>' to set the context to whatever is appropriate for the directory it's in.

Other than contexts, there are boolean variables that you need to mess with very occasionally. For instance if you want your ftp server to be able to allow anonymous users to save files you need to do 'setsebool allow_ftpd_anon_write 1'. To find ftp related booleans, do 'getsebool -a | grep ftp.' They're usually pretty self explanatory.

That's most of what you need to know. If you check the logs (/var/log/secure on Red Hat/CentOS) it'll help with problems as well.

+1 for Samhain. Been using it for many years now and I think the best at what it does.

What about things like Fail2ban?

I know it's basic compared to many suites, but it's power is in the simplicity.

[edit]

Just spotted there's another category with fail2ban in it....

Never used any, skip.

Tripwire

Always SELinux as I use Red Hat and best for support..