Hi guys. Lately, I've been experimenting with aide. It's an intrusion detection system along the lines of the commercial product tripwire. License is GPL. It's a good tool to see if you're being broken into because 3l33t haxorz replace binaries (such as who or top) sometimes with their own version that hides their activities or they wipe their activity off your log files. What you do is set up a config file that tells aide which directories and files to check, and run a cron job to run it every night. It will tell you which files have changed. If it's too noisy, look at the config file and take out some of the entries. You can also take a stripped-down config file and the binary, and put it on a floppy. Initialize the database and then lock-protect the floppy, and you have a safe audit tool. Plus, if you have a minimal database, you can run it every hour, and the check only takes about 10 seconds (the full-blown system takes 5-10 minutes and is not so good to run all the time.) This is an automated report generated by the Advanced Intrusion Detection Environment on poohstix at 06:25:02 on 08/23/00. Basically, here's what aide mails to you: Output of the daily AIDE run: AIDE found differences between database and filesystem!! Start timestamp: 2000-08-23 06:25:03 Summary: Total number of files=15138,added files=4,removed files=1,changed files=53 Added files: added:/usr/bin/gftp added:/usr/lib/menu/gftp added:/var/log/aide/aide.log added:/var/log/aide/error.log Removed files: removed:/usr/sbin/in.ftpd Changed files: changed:/dev/tty0 changed:/dev/tty7 changed:/usr/bin changed:/usr/bin/dh_gencontrol changed:/usr/bin/dh_builddeb changed:/usr/bin/dh_clean Detailed information about changes: File: /dev/tty0 Ctime: old = 2000-08-22 08:37:09, new = 2000-08-22 22:37:40 File: /dev/tty7 Ctime: old = 2000-08-22 08:37:09, new = 2000-08-22 22:37:40 File: /usr/bin Mtime: old = 2000-08-22 15:40:03, new = 2000-08-22 17:18:41 Ctime: old = 2000-08-22 15:40:03, new = 2000-08-22 17:18:41 File: /usr/bin/dh_gencontrol Ctime: old = 2000-08-20 23:13:56, new = 2000-08-22 16:54:58 Inode: old = 31807 , new = 33219 File: /usr/bin/dh_builddeb Ctime: old = 2000-08-20 23:13:56, new = 2000-08-22 16:54:58 Inode: old = 31802 , new = 33132
