Date: 10 Aug 2002 23:30:06 +0100 From: Stacey Roberts <stacey@Demon.vickiandstacey.com> To: Dru <dlavigne6@cogeco.ca> Cc: sroberts@dsl.pipex.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: aide-0.7_1 docs? Message-ID: <1029018608.38776.126.camel@Demon.vickiandstacey.com> In-Reply-To: <20020810180914.Y9801-100000@x1-6-00-80-c8-3a-b8-46> References: <20020810180914.Y9801-100000@x1-6-00-80-c8-3a-b8-46>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-uiV8GAz39GhrjDeDnyoZ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thanks for the quick reply Dru (I read your articles quite often!). I used to use tripwire, but found that it didn't *really* do what I thought it would (which is provide real-time notification of intrusion attempts / hacks). In the end, tripwire proved to be a heavy-weight file (system) changes indicator, more than anything else. I'll not want to go with yet another app that appears to promise a lot, but doesn't "do what it say on the tin", so to speak. The description of aide mentions: AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire. Tripwire is an excellent program in itself but lacks some features and is a closed product. Current Features: Multiple integrity checking algorithms (Even more with mhash support) Ability to output the database to stdout/file Easy configuration through a powerful configuration file Planned Features: Multiple database retrieval backends Encrypted databases Compressed databases(zlib bzip2 support) Windows NT port Email report More elaborate report options Recurse=3Dn Interactive db update Not that I want to weigh you down on this, but does aide as yet do any of the "Planned Features" as yet? In particular, compressed dbases, E-Mail reporting & Interactive dbase updates? Thanks again for getting back to me. From your response, it does appear that you are happy with aide, and I'm happy that it will prove to be as useful and effective to me as well. Hope to hear from you again soon. Stacey On Sat, 2002-08-10 at 23:16, Dru wrote: >=20 >=20 > On 10 Aug 2002, Stacey Roberts wrote: >=20 > > Hello, > > I'm trying to find a simple-to-use / simple-to-manage intrusion > > detection system. > > > > I came across aide-0.7_1 in the ports collection, and thought I'd like > > to find out more about this. However attempts at accessing more > > information via the link to "Main website" only takes me to > > http://www.cs.tut.fi/~rammer/ where Mr. Rammer has almost everything > > under the Sun, *except* information on aide. > > > > Is anyone out there actually using aide? Could you point me to where I > > might find the docs that come with it, please? >=20 >=20 > "man aide" and "man aide.conf" appear to be it. However, I've found that > compared to tripwire or integrit, aide was the easiest to configure and e= ven > ran "out of the box" with no changes to the sample config. I simply cronn= ed it > and made changes to the config file as I received output I didn't want to > receive. Here's my usage notes: >=20 > cd /usr/ports/security/aide /* tripwire replacement */ > make install clean > man aide.conf > /var/adm/aide/databases/ /* databases will be stored here */ >=20 > cp /usr/local/etc/aide.conf.sample /var/adm/aide/aide.conf >=20 > and configure to your needs (works out of the box but has additional > tweaks) >=20 > aide -i /* initialize aide.db.new */ > mv /var/adm/aide/databases/aide.db.new /var/adm/aide/databases/aide.db >=20 > aide --check /* checks database */ > aide --update /* updates database */ >=20 > -update creates aide.db.new (ascii text) so move it to aide.db as it is > now your new baseline > -will need to gzip if want to store on floppy; you should store database > on read-only media > -cron /usr/local/bin/aide --check >=20 > HTH, >=20 > Dru >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science --=-uiV8GAz39GhrjDeDnyoZ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPVWT7JvQeubckvvXAQHYxwgAmyaR1rqymoOe1QnDFWMMle7bJWIa3The Xru5Svu+qdQGxSoQOFr90BNWZNVrUN3s8hY0ml+GcTdYFDP760TE98GE/r/5BgQ7 a57tQD0Qj/xkjP9LniAa++JP/X+ChjQFfg+C/Mpazhrmn1IiiPwGLfd7C98BBtlL Ggdu0az8IDuSi12Ouy1CQo6kZX3XS+0uqvRpX9CDzyylBTB3pFZm8OWG9b0L5U3s uy501fsjq0C8xW/VmNUlU/Q08FexYVY+DyAazlchrHntkjfZOMS2AgitVeWbo7X/ 7/7uAKgKmAr2HLYq64N2Kuyucgo5p2nso4/pC+Ofjl4Y2wHzExHtSA== =ncOE -----END PGP SIGNATURE----- --=-uiV8GAz39GhrjDeDnyoZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1029018608.38776.126.camel>