I am looking for some software to assist in discovering whether one of my Linux servers has been compromised. I use Tripwire and I am interested in other software that would be an additional asset. I would greatly appreciate any suggestions you might have. I meant to say Logwatch sorry about that.

Thanks

- What makes you think or what "evidence" do you have it's been compromised?
- Did one of these servers get compromised before?
- What's the OS, distribution, version?
- What (publicly accessible) services does the machine provide or what purpose does it serve?
- Is all system software up to date?
- If it runs a web server is all 'net facing software, especially running in the web stack and including any 3rd party plugins, current?
* Are there implicit or explicit trust relationships between servers in terms of network and access restrictions, accounts, etc?
** Are you aware of the (aging but still useful) CERT Intruder Detection Checklist?

Logwatch scours system and daemon logs and reports warnings, errors and everything else anomalous that it's got filters configured for. It's a good aid wrt prevention but also reports leads in case of a (perceived) breach. Whatever tools you use depend on what "evidence" you have but for me at least the first and leading rule is to avoid disturbing the "crime scene" by killing processes or deleting stuff without first recording details or installing software and get data off the machine as secure and quickly as possible. Best use a machine in a different location as workstation to process logs and network data on. If you can answer the above questions and as verbose as possible please that would be helpful.

Hello unSpawn,

Thank you for your input. I don't have an issue yet but wanted to have a set of tools available in case my server started acting strangely so that I could make a determination as to whether it was compromised or not.

Thanks again.

Ah, OK. I'd say implement preventive measures first. Ensuring you keep everything up to date and only expose what's absolutely necessary, and this goes for the hard outside as well as the chewy inside, minimizes your attack surface (see your distributions security documentation, GNU/Tiger, OVAL tools, msec, debscan, etc, etc). Having baseline data, meaning package management or integrity verification configuration, binaries and database regularly verified and backed up to a known safe remote location, ensures you have a sound basis to , ahh, base audits on (AIDE, Samhain, md5deep, ausearch / aureport). Having proper access controls (audit rules, password strength and aging, PAM, firewall, SSH pubkey auth, Sudo, Rootsh, fail2ban, mod_security, reverse proxying, Snort or another IDS, whatever else service-specific software, etc, etc) will, together with any active auditing in place generate enough log entries to be informed in advance (Logwatch, SEC, OSSEC, petit, etc, etc). Finally actually testing the outside surface (nmap, OpenVAS, etc, etc) ensures that you can verify your measures make sense / work.

I'm sorry if you've heard or read all of that before. But tools are just tools and reporting is just reporting. Sometimes things are obvious and sometimes it's just experience correlating data that gives you a hunch or shows a lead. If you would like to see the other side of it all I invite you to search the Linux Security forum for compromise threads. Determine for yourself what you would have to do to solve a case like say this, this, this, this or this.