From owner-freebsd-questions Sat Aug 10 15:13:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BFB937B400 for ; Sat, 10 Aug 2002 15:13:24 -0700 (PDT) Received: from fep9.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 956E743E65 for ; Sat, 10 Aug 2002 15:13:23 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-39-211.home.cgocable.net (d226-39-211.home.cgocable.net [24.226.39.211]) by fep9.cogeco.net (Postfix) with ESMTP id 17ACC5A66; Sat, 10 Aug 2002 18:10:55 -0400 (EDT) Date: Sat, 10 Aug 2002 18:16:40 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46 To: sroberts@dsl.pipex.com Cc: FreeBSD Questions Subject: Re: aide-0.7_1 docs? In-Reply-To: <1029016162.38776.111.camel@Demon.vickiandstacey.com> Message-ID: <20020810180914.Y9801-100000@x1-6-00-80-c8-3a-b8-46> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 10 Aug 2002, Stacey Roberts wrote: > Hello, > I'm trying to find a simple-to-use / simple-to-manage intrusion > detection system. > > I came across aide-0.7_1 in the ports collection, and thought I'd like > to find out more about this. However attempts at accessing more > information via the link to "Main website" only takes me to > http://www.cs.tut.fi/~rammer/ where Mr. Rammer has almost everything > under the Sun, *except* information on aide. > > Is anyone out there actually using aide? Could you point me to where I > might find the docs that come with it, please? "man aide" and "man aide.conf" appear to be it. However, I've found that compared to tripwire or integrit, aide was the easiest to configure and even ran "out of the box" with no changes to the sample config. I simply cronned it and made changes to the config file as I received output I didn't want to receive. Here's my usage notes: cd /usr/ports/security/aide /* tripwire replacement */ make install clean man aide.conf /var/adm/aide/databases/ /* databases will be stored here */ cp /usr/local/etc/aide.conf.sample /var/adm/aide/aide.conf and configure to your needs (works out of the box but has additional tweaks) aide -i /* initialize aide.db.new */ mv /var/adm/aide/databases/aide.db.new /var/adm/aide/databases/aide.db aide --check /* checks database */ aide --update /* updates database */ -update creates aide.db.new (ascii text) so move it to aide.db as it is now your new baseline -will need to gzip if want to store on floppy; you should store database on read-only media -cron /usr/local/bin/aide --check HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message