Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Im looking for an ids system to check my servers every day for changes. I already have snort looking for network traffic. I was planning to implement tripwire on a read-only protected floppy, but i noticed that isnt a very good policy to manage 28 servers
Anyone has an idea of an easy to change and install solution of an IDS program to check my systems frequently?
You could raise your mana by having a central server which holds the signature databases (read-only partition, CDRW). AFAIK Samhain is the only package to offer that server-client model feature w/o helper apps. Aide can using "ICU", and tripwire seems to have a similar package.
Coincidentally I helped someone a while ago on the rpm mailinglist to build the specfile for Samhain:
Code:
Summary: File integrity and host-based IDS
Name: samhain
Version: 1.6.6
Release: 1
License: GPL
Group: System Environment/Base
Source: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Provides: %{name}
%description
samhain is an open source file integrity and host-based intrusion
detection system for Linux and Unix. It can run as a daemon process, and
and thus can remember file changes -- contrary to a tool that runs from
cron, if a file is modified you will get only one report, while
subsequent checks of that file will ignore the modification as it is
already reported (unless the file is modified again).
samhain can optionally be used as client/server system to provide
centralized monitoring for multiple host. Logging to a (MySQL or
PostgreSQL) database is supported.
This package contains only the single host version.
%prep
%setup -q
%build
# test installation
# for i in `seq 7`; do ./test.sh $i; done
./configure --prefix=${RPM_BUILD_ROOT}/usr \
--sysconfdir=${RPM_BUILD_ROOT}/etc \
--localstatedir=${RPM_BUILD_ROOT}/var \
--mandir=${RPM_BUILD_ROOT}/usr/share/man
make
%install
rm -rf $RPM_BUILD_ROOT
make install
# copy script files to /var/lib/samhain so that we can use them right
# after the package is installed
install -m 700 samhain-install.sh ${RPM_BUILD_ROOT}/var/lib/%{name}
sed "s|${RPM_BUILD_ROOT}||" < samhain.startRedHat > scratch_file
install -m 700 scratch_file ${RPM_BUILD_ROOT}/var/lib/%{name}/samhain.startRedHat
%clean
# rm -rf ${RPM_BUILD_ROOT}
%post
# Activate boot-time start up
cd /var/lib/%{name}
./samhain-install.sh --verbose install-boot
%preun
# remove boot-time scripts and links
cd /var/lib/samhain
./samhain-install.sh --verbose uninstall-boot
%postun
# remove any kernel modules that might have been installed
RVER=`uname -r`
rm -f /lib/modules/$RVER/samhain*
%files
%defattr(-,root,root)
%doc BUGS COPYING Changelog TODO
%doc LICENSE MANUAL-1_5.*.tgz README*
/var/lib/%{name}
/usr/sbin/%{name}
%attr(644,root,root) /usr/share/man/man5/samhain*.gz
%attr(644,root,root) /usr/share/man/man8/samhain*.gz
/etc/samhainrc
%changelog
* Mon Dec 16 2002 Andre Oliveira da Costa <brblueser@uol.com.br> 1.6.6
- First attempt to build from sources
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.