[Aide] Newbie Questions

Gary Gendel gary at genashor.com
Mon Apr 10 19:57:50 EEST 2006

You can take the paranoid approach (which is what I took).  I included
everything except what I knew didn't matter (user's home directories,
etc.).  Then I'd look at the reports generated by aide each day and
selectively modify the attributes of those things that changed
regularly.  It will take a few month to prune it down so it's quiet, but
then you've got a pretty inclusive system.  The drawback is that your
database size is significant, but I sleep better at night.  I don't want
to end up with a situation similar to what you discovered.

BTW, though I don't use Linux regularly, you might see if there is
something like BSD Jails or Solaris Containers available to run your web
server in.  Then, if they do get in, the worst they can do is compromise
your web server, not your system (not even root can modify the system
files from within a Solaris Container).  I have each service running in
it's own Container, so any successful attack is limited to one service.

Steve West wrote:
> Hi folks,
> I've looked over the manual and went through the mailing archives as
> far back as APR 05 and I have a few questions still:
> 1. I'm sorry if this is a stupid question but anyone know what
> directories & files I should monitor on a Redhat & CentOS 3.x/4.x
> boxes? What if someone installs a rootkit ouside the location(s) being
> checked, I assume they will go un-noticed.
> 2. One of our web servers was compromised and went un-noticed for
> several weeks. :(  They got in via apache and installed some type of
> ssh rootkit under /usr/local/. Rootkit hunter nor chkrootkit detect it
> because it did not alter any binaries on system. Instead they tampered
> with a number of log files (ie /var/log/wtmp, etc.) to wipe their
> tracks clean. My question is can aide be used to ensure critical log
> files are not tampered with? Or is this something left better to
> another tool.
> Any help is greatly appreciated!
> thx,
> SW
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list