martin f krafft <madduck@debian.org> [2002-09-15 22:48:27 +0200]: > So you think AIDE rocks, huh? Why (compared to tripwire)? I used (and still use on another os) tripwire back when it was free software. Then the author took the same route that ssh's and xv's author took. He decided to take the previously free software and turn it into proprietary software. At that time anyone could continue to use the previous free version. Newer versions were available only under the restricted copyright. It was still no charge for non-commercial use. But not free software. I have never felt kindly disposed to someone releasing something as free and then retracting it after it becomes popular. I consider that breaking a taboo. The AIDE project was designed to solve that problem. Like OpenSSH it is a free software reimplementation. Unlike OpenSSH it is not strictly compatible but that is not needed here. It is GPL and unencumbered by restrictions. It has very nice email reports of file changes. It is under active development. I converted to it because it was free (speech) software but have remained because it does everything I need it to do. apt-cache show aide I will note that the most recent release is not as portable as I would like at the source code level. I have had difficulty getting it to run on other commercial unix systems. The development continues and the authors are addressing the portability problems. But if you are on Debian the work has already been done for you by the maintainer. Install and go. apt-get install aide Configuration drift: I always install aide (and tripwire) so that it emails me incremental changes and updates the database automatically. I expect my systems to have some changes. I don't want to have to spend more time updating the security database than it takes to actually update the system. But I do want alarm bells to go off when things change. If I expect those changes I can log them and move on. If I don't expect those changes then I want to be alerted to them. I think the following will describe my local customization and configuration reasonably well to /etc/cron.daily/aide. -#aide --check >$LOGFILE 2>$ERRORLOG +aide --update >$LOGFILE 2>$ERRORLOG +mv -f $DATABASE.new $DATABASE I am sure some people who need to run very hardened systems would claim this is throwing caution to the wind. But those people should not be running from a writable hard disk anyway, they should be running from CDROM. :-) I mail the reports off to a different system where I examine them daily. I often get reminded that I changed something yesterday and forgot about it. Updating the database at the same time as the check is much more efficient and faster than running a check and separately updating the database later. Also the default two passes open a window of time where unauthorized changes can happen and not be reported. Therefore I prefer the single pass update. Also, I keep backup copies of the aide database and can do more long term compares of what changed since that snap if need be. (Needed that once.) The method is a good one for me. YMMV. Bob
Attachment:
pgpf8hO6M7kX2.pgp
Description: PGP signature