From owner-freebsd-questions Sun Aug 11 11:20:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC0F837B400 for ; Sun, 11 Aug 2002 11:20:30 -0700 (PDT) Received: from colossus.systems.pipex.net (colossus.systems.pipex.net [62.241.160.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05AE843E6A for ; Sun, 11 Aug 2002 11:20:30 -0700 (PDT) (envelope-from stacey@Demon.vickiandstacey.com) Received: from Demon (81-86-129-77.dsl.pipex.com [81.86.129.77]) by colossus.systems.pipex.net (Postfix) with ESMTP id 3D682160002A5; Sun, 11 Aug 2002 19:20:27 +0100 (BST) Subject: Re: aide-0.7_1 docs? From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: Randy Belk Cc: sroberts@dsl.pipex.com, Volker Kindermann , FreeBSD Questions In-Reply-To: <20020811090900.T42163-100000@bccs.homeip.net> References: <20020811090900.T42163-100000@bccs.homeip.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-NwAdvuXHXoy/xd9ELTpJ" X-Mailer: Ximian Evolution 1.0.8 Date: 11 Aug 2002 19:21:23 +0100 Message-Id: <1029090085.38776.185.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-NwAdvuXHXoy/xd9ELTpJ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Randy, Great to hear those comments about Sanhain. I take it you rate this above the others mentioned in this thread, then. I was thinking of going with something along the line of portsentry for the network port monitoring) as well as something along the lines of (what I now believe) samhain. Did the install / config go well? Are there any gotcha's for FreeBSD 4.6 Stable that I should be aware of? I only ask because samhain is *not* mentioned in /usr/port/security Stacey On Sun, 2002-08-11 at 15:25, Randy Belk wrote: > I am have tried tripwire, aide, integret, and a few others but the > benifits of samhain are fantastic. It doesn't put a load on my > Pentium/133, and it does real time fantastic. It can check my setup > every 20-30 minutes. >=20 > Benifits > - md5's it's on binary, and it checks it when it starts and stops > - can log to a central logging server > - md5's logs and emails > - does real time suid checks > - checks for logins and multiple logins > - on linux it can check for kernel module rootkits >=20 > and many more >=20 > The only problem I have found with samhain is the logging. Since > every log entry is md5'ed, the output is very weird. Also, there is > not a daily email like aide and tripwire sends, it's real time remember. >=20 >=20 >=20 > On 11 Aug 2002, Stacey Roberts wrote: >=20 > > Hi Volker, > > Thanks for the your thoughts and suggestions. I've not looked at the > > aide docs (as suggested by Dru earlier in the post), and it looks as if > > I'll only be able to find the URL for the aide docs *after* installing > > the thing - not happy with that! > > > > I'll take a look at samhain today - one thing, is it compatible with > > FBSD 4.6Stable? > > > > Stacey > > > > > > > > On Sun, 2002-08-11 at 10:50, Volker Kindermann wrote: > > > Hi Stacey, > > > > > > > I used to use tripwire, but found that it didn't *really* do what I > > > > thought it would (which is provide real-time notification of intrus= ion > > > > attempts / hacks). > > > > > > I know tripwire and I think it is not intended to do real-time monito= ring. I don't know aide but I can imagine that it don't have real-time moni= toring, too. Please correct me, if I'm wrong. > > > > > > Lately I found a tool called samhain (http://la-samhna.de/samhain/) t= hat is able to run as a daemon and therefore does some kind of real-time mo= nitoring. Perhaps you'll give it a try. > > > > > > HTH > > > -volker > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > >=20 > -------------------------------------------------- > Microsoft: "Where would you like to go to today" > Linux: "Where would you like to go tomorrow" > BSD: "Hey,when are you guys going to catch up" >=20 > The BSDway is the only way........................ >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science --=-NwAdvuXHXoy/xd9ELTpJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPVarIZvQeubckvvXAQHf+Af/Yv2WqQq30fNX8Zj9oowMZMpKqi2lKLjg 0DlEYQAGaGyhWcfgjyaOrQA078U9KbJbfWyFoXsyzHnzgh5xkPgrJSQ2vRhD7L9G durLFQSQfUxIgvhpLctvD82P9TeHYvjeLMlBk+Rk8tmHTNBW2WVuZPPUEAOwqNhB dKK01G/JA/tK6Y/h8tDnTtF5AjHieNXnQWr6pKQNhume80n8rzBebDWPu2EA/jcI nCQYpbSxVXptPfPktLvCuOD1PvI4unhA3PDCB5UfOaG9Cbj3U95G2qToMq67C5r/ gmqbL+pGnV75yP+mZw1IfdPauoUvCf13SLmdIrPHQpmxSG3RvAsC2w== =vvQC -----END PGP SIGNATURE----- --=-NwAdvuXHXoy/xd9ELTpJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message