Auditing software for a CentOS server

List overview All Threads
Download

newer

older

[OT] DNS queries issue

Internet threat management package

israel.garcia＠cimex.com.cu

4 Oct 2007 4 Oct '07

6:48 p.m.

Hi, I'm running some databases's software on a CentOS 4.5 server and I'd like to know if there are any audit software in CentOS4.5 CDs packages?.....I need some software to audit all the files on the server, I mean, if some one delete a file, or change some permissions on any filesystems, if someone copy files to my server and some of this stuff... take in mind I'm not lookign for an IDS.. I just want to audit my server...

thanks in advance

Israel

Attachments:

winmail.dat (application/ms-tnef — 3.4 KB)

Show replies by date

Ross S. W. Walker

4 Oct 4 Oct

5:57 p.m.

I believe 'tripwire' is what your probably looking for, but there may be more recent apps that use some of the new OS features like 'notify' or 'selinux' that may work better.

-Ross

________________________________

From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of israel.garcia@cimex.com.cu Sent: Thursday, October 04, 2007 12:48 PM To: centos@centos.org Subject: Auditing software for a CentOS server

thanks in advance

Israel

______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.

Ross S. W. Walker

6:06 p.m.

Actually the built-in 'audit' can do it for you, no need for a separate package:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...

________________________________

From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ross S. W. Walker Sent: Thursday, October 04, 2007 11:57 AM To: CentOS mailing list Subject: [CentOS] RE: Auditing software for a CentOS server I believe 'tripwire' is what your probably looking for, but there may be more recent apps that use some of the new OS features like 'notify' or 'selinux' that may work better. -Ross

________________________________

thanks in advance

Israel

________________________________

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.

Clint Dilks

11:19 p.m.

Aide is another option

Ross S. W. Walker wrote:

...

I believe 'tripwire' is what your probably looking for, but there may be more recent apps that use some of the new OS features like 'notify' or 'selinux' that may work better.

-Ross
------------------------------------------------------------------------
*From:* centos-bounces@centos.org
[mailto:centos-bounces@centos.org] *On Behalf Of
*israel.garcia@cimex.com.cu
*Sent:* Thursday, October 04, 2007 12:48 PM
*To:* centos@centos.org
*Subject:* Auditing software for a CentOS server

Hi, I'm running some databases's software on a CentOS 4.5 server
and I'd like to know if there are any audit software in CentOS4.5
CDs packages?.....I need some software to audit all the files on
the server, I mean, if some  one delete a file, or change some
permissions on any filesystems, if someone copy files to my server
and some of this stuff... take in mind I'm not lookign for an
IDS.. I just want to audit my server...

thanks in advance

Israel
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

James A. Peltier

6:07 p.m.

israel.garcia@cimex.com.cu wrote:

...

Hi, I'm running some databases's software on a CentOS 4.5 server and I'd like to know if there are any audit software in CentOS4.5 CDs packages?.....I need some software to audit all the files on the server, I mean, if some one delete a file, or change some permissions on any filesystems, if someone copy files to my server and some of this stuff... take in mind I'm not lookign for an IDS.. I just want to audit my server...

thanks in advance

Israel

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

Tripwire is one chkrootkit is another. Here is a sample output from TW.

/etc/cron.daily/tripwire: ### Warning: File system error. ### Filename: /usr/src/linux ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/inittab ### No such file or directory ### Continuing... Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root Report created on: Thu 04 Oct 2007 06:49:44 AM PDT Database last updated on: Wed 03 Oct 2007 09:56:14 PM PDT

=============================================================================== Report Summary: ===============================================================================

Host name: latis Host IP address: 142.58.207.218 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/latis.twd Command line used: /usr/sbin/tripwire --check --quiet --email-report

=============================================================================== Rule Summary: ===============================================================================

------------------------------------------------------------------------------- Section: Unix File System -------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0

Tripwire Data Files 100 0 0 0

Other binaries 66 0 0 0

Tripwire Binaries 100 0 0 0

setuid/setgid 100 0 0 0

Other libraries 66 0 0 0

Header Files 66 0 0 0

Shared Files 66 0 0 0

Root file-system executables 100 0 0 0

* System boot changes 100 1 0 8

Security Control 66 0 0 0

Root file-system libraries 100 0 0 0

(/lib) Critical system boot files 100 0 0 0

Boot Scripts 100 0 0 0

Critical Configuration files 100 0 0 0

Devices & Kernel information 100 0 0 0

* Root config files 100 0 0 1

Total objects scanned: 28932 Total violations found: 10

=============================================================================== Object Summary: ===============================================================================

------------------------------------------------------------------------------- # Section: Unix File System -------------------------------------------------------------------------------

------------------------------------------------------------------------------- Rule Name: System boot changes (/var/run) Severity Level: 100 -------------------------------------------------------------------------------

Added: "/var/run/console/root:1"

------------------------------------------------------------------------------- Rule Name: System boot changes (/var/log) Severity Level: 100 -------------------------------------------------------------------------------

Modified: "/var/log/syslog" "/var/log/syslog.0" "/var/log/syslog.1.gz" "/var/log/syslog.2.gz" "/var/log/syslog.3.gz" "/var/log/syslog.4.gz" "/var/log/syslog.5.gz" "/var/log/syslog.6.gz"

------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 -------------------------------------------------------------------------------

Modified: "/root"

=============================================================================== Error Report: ===============================================================================

------------------------------------------------------------------------------- Section: Unix File System -------------------------------------------------------------------------------

1. File system error. Filename: /usr/src/linux No such file or directory 2. File system error. Filename: /etc/inittab No such file or directory

------------------------------------------------------------------------------- *** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. run-parts: /etc/cron.daily/tripwire exited with return code 5

-- James A. Peltier Technical Director, RHCE SCIRF | GrUVi @ Simon Fraser University - Burnaby Campus Phone : 778-782-3610 Fax : 778-782-3045 Mobile : 778-840-6434 E-Mail : jpeltier@cs.sfu.ca Website : http://gruvi.cs.sfu.ca | http://scirf.cs.sfu.ca MSN : subatomic_spam@hotmail.com

6317

Age (days ago)

6317

Last active (days ago)

discuss@lists.centos.org

4 comments

4 participants

tags (0)

participants (4)

Clint Dilks
israel.garcia＠cimex.com.cu
James A. Peltier
Ross S. W. Walker