[CentOS] aide and changes in system

Jim Perrin jperrin at gmail.com
Sun Dec 28 16:02:03 UTC 2008


On Sun, Dec 28, 2008 at 9:19 AM, Mariusz <settlerk at atp-czesci.pl> wrote:
> I've checked my system by aide and i've received information:
>
> changed: /bin
> changed: /bin/tar
> changed: /bin/mv
> changed: /bin/cp
> changed: /bin/ls
> changed: /bin/vi
>
> i don't remember that I changed those commands, what does it mean? Somebody
> broken in? or those commands are changed normally?

This is most likely due to prelink changes (which run as a weekly
cron) but you should always check things like this out while you're
getting to know how the system changes and reacts. If it's just those
apps, I would take a much closer look at your system, since prelink
should affect more binaries than that.

Always remember that systems like tripwire and aide are essentially
car or home burglar alarms. It's great for alerting you, but if
they're activated it's because someone is already in the system. The
best security is defense in layers. Firewall, deny-hosts or fail2ban,
selinux, good password or key policies and proper system configuration
are all key to keeping your system safe.

If you're really concerned about system security, I'd have a look at
the NSA guide for locking down RHEL5. It's a very good jumping off
point for security. Follow that up with a nice healthy dose of the DoD
STIG (Security Technical Implementation Guidelines) for the apps
you're running and you'll be pretty good.

See -> http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf
and http://iase.disa.mil/stigs/stig/index.html



-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell


More information about the CentOS mailing list