neysx 05/11/23 18:02:07 Modified: xml/htdocs/doc/en/security shb-intrusion.xml Log: #108406 Reflect changes to aide ebuild
Revision Changes Path 1.2 +12 -30 xml/htdocs/doc/en/security/shb-intrusion.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.2&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/security/shb-intrusion.xml.diff?r1=1.1&r2=1.2&cvsroot=gentoo Index: shb-intrusion.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- shb-intrusion.xml 1 Jun 2005 15:43:47 -0000 1.1 +++ shb-intrusion.xml 23 Nov 2005 18:02:07 -0000 1.2 @@ -1,14 +1,14 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.1 2005/06/01 15:43:47 neysx Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.2 2005/11/23 18:02:07 neysx Exp $ --> <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> <!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> +<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> <sections> -<version>1.0</version> -<date>2005-05-31</date> +<version>1.1</version> +<date>2005-11-23</date> <section> <title>AIDE (Advanced Intrusion Detection Environment)</title> @@ -283,10 +283,14 @@ </p> <p> -After editing the configuration you should create your db file by executing -<c>aide -i</c> and then copy the file <path>/etc/aide/aide.db.new</path> to -<path>/etc/aide/aide.db</path> and add the check to cron by executing -<c>crontab -e</c> as root. +The AIDE ebuild now comes with a working default configuration file, a helper +script and a crontab script. The helper script does a number of tasks for you +and provides an interface that is a little more script friendly. To see all +available options, try <c>aideinit --help</c>. To get started, all that needs +to be done is <c>aideinit -i</c> and the crontab script should detect the +database and send mails as appropriate every day. We recommend that you review +the <path>/etc/aide/aide.conf</path> file and ensure that the configuration +accurately reflects what is in place on the machine. </p> <note> @@ -294,25 +298,12 @@ this can take some time. </note> -<pre caption="Shedule aide as a cronjob"> -0 3 * * * /usr/bin/aide -u -</pre> - <note> Remember to set an alias so you get roots mail. Otherwise you will never know what AIDE reports. </note> <p> -In this case it runs once at 3am. This is done since I do not want to disturb -the users when they are working. Note I am using the <c>-u</c> (Update) option -instead of the <c>-C</c> (Check). Since <c>-u</c> also checks the files and does -not overwrite the original db file it saves some time since all you need to do -is to copy a file when it detects some changes. Just check the changes to see if -it was you who made the changes instead of some attacker before you copy it! -</p> - -<p> Now there is some risk inherent with storing the db files locally, since the attacker will (if they know that AIDE is installed) most certainly try to alter the db file, update the db file or modify <path>/usr/bin/aide</path>. So you @@ -336,11 +327,6 @@ it use the following examples. </p> -<pre caption="Add a user snort to the system"> -# useradd snort -d /var/log/snort -s /dev/null -# chown -R snort /var/log/snort -</pre> - <pre caption="/etc/conf.d/snort"> PIDFILE=/var/run/snort_eth0.pid MODE="full" @@ -453,10 +439,8 @@ </body> </section> - <section> <title>Detecting malware with chkrootkit</title> - <body> <p> @@ -483,6 +467,4 @@ </body> </section> - - </sections> -- [email protected] mailing list
