Can some one suggest me some good auditing tool ( File level audit )
Hi ,
Can some one suggest me some good auditing tool ( For File level audit )
Thanks .
Responses
hi,
aide is good for auditing files for (unwanted ) changes.
Aide stands for Advanced Intrusion Detection Environment
You will need to install aide
# yum install aide
and afterwards configure what files you want to monitor for changes in
/etc/aide.conf
After above configuration changes,it is necessary to initialize aide
# aide --init
More
-- https://access.redhat.com/knowledge/solutions/55021
Hope this helps,
Thank you
Kind regards,
Elvir Kuric
I agree that AIDE is the best onboard tool to handle this question.
However, configuration might be difficult if you do not want to end up in a huge number of "false positives"
Therefore, I think a prerequisite for using AIDE is that you do an "as slim and lean as possible" installation.
To do this, I start normally create a kickstart file does a "nobase", i.e. the "%packages" section in the kickstart is maybe something like:
%packages --nobase
man
net-snmp
net-snmp-utils
ntp
openssh
openssh-clients
openssh-server
yum
# see also #http://wiki.centos.org/TipsAndTricks/KickStart
You end up with around 200 rpm packages installed and a quite small but functioning server, you probably need to add several more packages in the list to install the functions you need. However, it is a starting point to allow more efficient configuration of AIDE. If you install 600 packages of which most are not needed, you create a monster that you have to tame later on... so it's of course better practice to start small
Another good one to use is "inotïfy" & co (iwatch, File Alternation Monitor) ... dig for documentation on that! It helps you to indicate changes "on the fly" rather than AIDE which relies on a stiff database and regular scheduled reports. For example:
http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/
http://www.infoq.com/articles/inotify-linux-file-system-event-monitoring
Regarding real-time alerts I think the standard auditd service deserves much more recognition. It's really great and has a lot flexibility (plugins, dispatcher, etc). You can do a lot with it that is basically not possible with other more commonly used tools. For example it can alert if anyone loads a kernel module. You can also lock the rules so they can't be edited without reboot.
The whole concept that you will be alerted when someone TRIES to do something (even if that attempt fails) as opposed to only if they've tried it, succeeded, and not cleaned up their tracks before the next scan, is infinitely superior. Most hackers won't even realize it's running until it's too late, whereas just about all of them will know to try and clean up their tracks after they've finished setting up their rootkits or whatever.
Prelude seems to support audit dispatcher directly but I've not used it.
My other issue with tools like AIDE and Tripwire is scalability (central management/reporting, etc). Products like Samhain and OSSEC are a little better in that regard. But setting up auditd in parallel to these is the perfect combination and let's you use aide/tripwire more for post-intrusion forensics, which they are excellent at, and less for the actual intrusion detection, which they aren't really ideal for. It's also far easier to minimize false positives with this approach, because your aide/tripwire policies can be much simpler.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
