> On Sun, Dec 28, 2008 at 9:19 AM, Mariusz <settlerk at atp-czesci.pl> wrote: >> I've checked my system by aide and i've received information: >> >> changed: /bin >> changed: /bin/tar >> changed: /bin/mv >> changed: /bin/cp >> changed: /bin/ls >> changed: /bin/vi >> >> i don't remember that I changed those commands, what does it mean? >> Somebody >> broken in? or those commands are changed normally? > > This is most likely due to prelink changes (which run as a weekly > cron) but you should always check things like this out while you're > getting to know how the system changes and reacts. If it's just those > apps, I would take a much closer look at your system, since prelink > should affect more binaries than that. > > Always remember that systems like tripwire and aide are essentially > car or home burglar alarms. It's great for alerting you, but if > they're activated it's because someone is already in the system. The > best security is defense in layers. Firewall, deny-hosts or fail2ban, > selinux, good password or key policies and proper system configuration > are all key to keeping your system safe. > > If you're really concerned about system security, I'd have a look at > the NSA guide for locking down RHEL5. It's a very good jumping off > point for security. Follow that up with a nice healthy dose of the DoD > STIG (Security Technical Implementation Guidelines) for the apps > you're running and you'll be pretty good. > > See -> > http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf > and http://iase.disa.mil/stigs/stig/index.html I can recommend you: http://www.cipherdyne.com/LinuxFirewalls/ http://cipherdyne.org/fwsnort/ Mario