Does anybody/has anybody used Samhain.. a HIDS similar to Tripwire
 

Hi All,
I've been looking at quite some time for a HIDS like tripwire but also to know if there are better alternatives or if everyone just uses tripwire. I'm not paying out for the enterprise version of tripwire and just wondered what other people have done that use HIDS's, and if you've tried Samhain?

ie what is it like...whats your preferred if any?

Cheers

you may have better luck searching the security forum?
or the security references sticky at the sec forum?

tripwire doesn't compare to *anything* anymore in terms of license, development or whatever other criteria. I'd like to divide this type of filesystem integrity checkers in passive and active applications: Aide could be a replacement in terms of ease of configuration and execution speed but it is passive, meaning you have to schedule runs. For alternatives see Osiris or Integrit. Samhain is a daemon, a continuously running process, and offers features most others don't have like its own LKM for checking kernel structures, a client-server setup, integrity checking and protection of itself using process hiding, encryption and steganography. Which one you choose could depend on 0) the purpose of the machine (who accesses what), 1) what security posture the already machine has (hardening) and 2) auditing requirements and maintenance trade-offs (for instance Samhain's LKM needs to be recompiled for each kernel upgrade).

Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Hi unspawn, thanks for the info...there's one there (Osiris) that i've not even heard of yet so i'll take a look a that too.

Thanks