Re: Is LIDS a good idea?
hi ya mark
are you trying to detect that files has changed
or are you trying to protect files from being changed ??
tripwire/aide and other ids will tell you that files have been
changed... ( a little too late in my book ...
lids tries to prevent you and [h/cr]ackers from changing
files its supposed to be protecting...
a simple "attr +i /etc/passwd" will prevent it from
being changed too
i'd also make sure the kernel is protected against buffer overflow
too .. apply things like ow1 kernel patch and libsafe....
( simple 5 minute things to minimize lots of potential headaches
-- kernel patches
http://www.linux-sec.net/Harden/kernel.gwif.html
-- IDS stuff
http://www.Linux-Sec.net/IDS/
-- detecting that they have gotten in is kinda too late ???
-- spend your time hardening the box up front and protecting data
http://www.Linux-Sec.net/Harden/
c ya
alvin
On Fri, 30 Nov 2001 mdevin@ozemail.com.au wrote:
> I just stumbled upon this LIDS (Linux Intrusion Detection/Defense
> System) see: http://www.lids.org
>
> I just wanted to know if anyone is using this and what they think of it.
> Is it hard to set up? What happens when you do an apt-get dist-upgrade
> - will it refuse to change the binaries you want to upgrade? Is
> something like Tripwire / AIDE better because it doesn't stop root
> from changing/deleting files but will tell you later which ones have
> changed.
>
> Anyone with any experience in using this LIDS?
>
> Cheers.
> Mark.
>
Reply to: