[CentOS] aide and changes in system

Sun Dec 28 18:36:14 UTC 2008
Mario <mario.mailing.lists at gmail.com>

> On Sun, Dec 28, 2008 at 9:19 AM, Mariusz <settlerk at atp-czesci.pl> wrote:
>> I've checked my system by aide and i've received information:
>>
>> changed: /bin
>> changed: /bin/tar
>> changed: /bin/mv
>> changed: /bin/cp
>> changed: /bin/ls
>> changed: /bin/vi
>>
>> i don't remember that I changed those commands, what does it mean? 
>> Somebody
>> broken in? or those commands are changed normally?
>
> This is most likely due to prelink changes (which run as a weekly
> cron) but you should always check things like this out while you're
> getting to know how the system changes and reacts. If it's just those
> apps, I would take a much closer look at your system, since prelink
> should affect more binaries than that.
>
> Always remember that systems like tripwire and aide are essentially
> car or home burglar alarms. It's great for alerting you, but if
> they're activated it's because someone is already in the system. The
> best security is defense in layers. Firewall, deny-hosts or fail2ban,
> selinux, good password or key policies and proper system configuration
> are all key to keeping your system safe.
>
> If you're really concerned about system security, I'd have a look at
> the NSA guide for locking down RHEL5. It's a very good jumping off
> point for security. Follow that up with a nice healthy dose of the DoD
> STIG (Security Technical Implementation Guidelines) for the apps
> you're running and you'll be pretty good.
>
> See -> 
> http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf
> and http://iase.disa.mil/stigs/stig/index.html

I can recommend you:

http://www.cipherdyne.com/LinuxFirewalls/

http://cipherdyne.org/fwsnort/

Mario