On Sun, Dec 28, 2008 at 9:19 AM, Mariusz settlerk@atp-czesci.pl wrote:
I've checked my system by aide and i've received information:
changed: /bin changed: /bin/tar changed: /bin/mv changed: /bin/cp changed: /bin/ls changed: /bin/vi
i don't remember that I changed those commands, what does it mean? Somebody broken in? or those commands are changed normally?
This is most likely due to prelink changes (which run as a weekly cron) but you should always check things like this out while you're getting to know how the system changes and reacts. If it's just those apps, I would take a much closer look at your system, since prelink should affect more binaries than that.
Always remember that systems like tripwire and aide are essentially car or home burglar alarms. It's great for alerting you, but if they're activated it's because someone is already in the system. The best security is defense in layers. Firewall, deny-hosts or fail2ban, selinux, good password or key policies and proper system configuration are all key to keeping your system safe.
If you're really concerned about system security, I'd have a look at the NSA guide for locking down RHEL5. It's a very good jumping off point for security. Follow that up with a nice healthy dose of the DoD STIG (Security Technical Implementation Guidelines) for the apps you're running and you'll be pretty good.
See -> http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guid... and http://iase.disa.mil/stigs/stig/index.html
I can recommend you:
http://www.cipherdyne.com/LinuxFirewalls/
http://cipherdyne.org/fwsnort/
Mario