Can some one suggest me some good auditing tool ( File level audit )

Latest response

Hi ,

 

 

Can some one suggest me some good auditing tool ( For File level audit ) 

 

 

Thanks .

Responses

hi,

 

aide is good for auditing files for (unwanted ) changes.

 

Aide stands for  Advanced Intrusion Detection Environment

 

You will need to install aide

 

# yum install aide

 

and afterwards configure what files you want to  monitor for changes in

 

/etc/aide.conf

 

After above configuration changes,it is necessary to initialize aide

 

# aide --init

 

More

 

-- https://access.redhat.com/knowledge/solutions/55021

 

Hope this helps,

 

Thank you

 

Kind regards,

 

Elvir Kuric

I agree that AIDE is the best onboard tool to handle this question.

 

However, configuration might be difficult if you do not want to end up in a huge number of "false positives"

Therefore, I think a prerequisite for using AIDE is that you do an "as slim and lean as possible" installation.

To do this, I start normally create a kickstart file does a "nobase", i.e. the "%packages" section in the kickstart is maybe something like:

%packages --nobase
man
net-snmp
net-snmp-utils
ntp
openssh
openssh-clients
openssh-server
yum
# see also #http://wiki.centos.org/TipsAndTricks/KickStart

 

You end up with around 200 rpm packages installed and a quite small but functioning server, you probably need to add several more packages in the list to install the functions you need. However, it is a starting point to allow more efficient configuration of AIDE. If you install 600 packages of which most are not needed, you create a monster that you have to tame later on... so it's of course better practice to start small

 

 

Another good one to use is "inotïfy" & co (iwatch, File Alternation Monitor) ...  dig for documentation on that! It helps you to indicate changes "on the fly" rather than AIDE which relies on a stiff database and regular scheduled reports. For example:

 http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/

http://www.infoq.com/articles/inotify-linux-file-system-event-monitoring

 

Mario, thanks for the detailed reply! Really helpful.

Regarding real-time alerts I think the standard auditd service deserves much more recognition. It's really great and has a lot flexibility (plugins, dispatcher, etc). You can do a lot with it that is basically not possible with other more commonly used tools. For example it can alert if anyone loads a kernel module. You can also lock the rules so they can't be edited without reboot.

The whole concept that you will be alerted when someone TRIES to do something (even if that attempt fails) as opposed to only if they've tried it, succeeded, and not cleaned up their tracks before the next scan, is infinitely superior. Most hackers won't even realize it's running until it's too late, whereas just about all of them will know to try and clean up their tracks after they've finished setting up their rootkits or whatever.

 

Prelude seems to support audit dispatcher directly but I've not used it.

 

My other issue with tools like AIDE and Tripwire is scalability (central management/reporting, etc). Products like Samhain and OSSEC are a little better in that regard. But setting up auditd in parallel to these is the perfect combination and let's you use aide/tripwire more for post-intrusion forensics, which they are excellent at, and less for the actual intrusion detection, which they aren't really ideal for. It's also far easier to minimize false positives with this approach, because your aide/tripwire policies can be much simpler.

 

I think auditd is a good option to audit file level. I prefer "snoopy logger" to audit all activities on system.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.