FIDS - File System Integrity Checkers...

Folks, I'm lokking for info about FIDS(File System-based IDS) in order to track file system changes (executable, library, shell scripts, ....) in order to "guaranty*" my file system integrity.
As a good AO member ;) I have performed a quick search on google and I found the following list of tools:
- AIDE (Advanced Intrusion Detection Environment)
- chkrootkit
- Dragon Squire
- FCheck
- integrit
- samhain
- ....

I didn't intentionnaly include TripWire bcoz its commercial. Did I mention that I'm looking for an open sourtce for Linux?

I'm sure some AOs have experienced such tools, could u give personnal feedback!
u'll make my day :) !

thanx

*some will say that we can't guaranty anything since some attackers could compromise the host and change log files but .... :D

i used most of the tools you mentioned above, but tripwire is what i use right now and no they have an open source version of tripwire. check www.tripwire.org (i had to edit this since when i typed in tripwire.org without the www sent me to somewhere else, damn dns!). you should be able to find previous rpms/tarballs for this.

-w0rm3y

Try http://sourceforge.net/projects/tripwire/ <-- official sourceforge and kept up to date.

Other than the ones you've mentioned, I don't know of any others. I've used Tripwire before and my students use it in their Advanced class to muck around with. (Although I'm hearing rumblings from some of problems with Slack 9 and SourceForge Trip)..

Thanx folks. Good to know
Tripwire is available in open source!

I never used it but with a quick look at it; it seems a bit painful to use:
- Tell me if I'm wrong but it seems that config require to specficy file per file that need to be checked. Can't we do smth like any executable, library, ...
And what type of check does it performs a checksum or file size.

Maybe the best is to give a try....

Tripwire is the most popular now, but AIDE is supposed to be better. You should know that if you are hacked any hacker will just modify or delete the database once getting root. To prevent that you can put it on a write protected floppy if it will fit... or a CD. I'd use a FIDS and chkrootkit. After it is installed you run it to create the database of hashes and then after that you can run it periodically so it will create the hashes again and compare them to the hashes in the database. If any hashes are changed then it will alert you. How to install and use it is in the manual, install, or readme files. After reading those it shouldn't be so complicated ;)

I ran into a tut for Tripwire somewhere. Sorry I can't think of it now, but I will post it for all to see when I find it. It's not my tut, but why reinvent the wheel if it's in a good format. I will find it and post it with the source so that you will have something else additional as a resource.

Ok, I remembered where I saw the article/introduction to Tripwire for Linux. The link is below:

http://www.security-forums.com/forum...light=tripwire

cheers T2K2,
I thought Tripwire was also a NIDS.

Thanx all for sharing

Quote:

---

Originally posted here by Networker
Folks, I'm lokking for info about FIDS(File System-based IDS) in order to track file system changes (executable, library, shell scripts, ....) in order to "guaranty*" my file system integrity.
As a good AO member ;) I have performed a quick search on google and I found the following list of tools:
- AIDE (Advanced Intrusion Detection Environment)
- chkrootkit
-

---

I am using AIDE (install from ports on FreeBSD ) http://www.cs.tut.fi/~rammer/aide/manual.html and chkrootkit http://www.chkrootkit.org/ on my BSD laptop, specially chkrootkit it's really cool.. (tip: always check out their manual..its very helpfull.. manual it's my best friend :) ).


Cheerrs


Annya

Hey folks another question about AIDE and Tripwire.
Is there a features that provides alarm to a remote manager such as SNMP traps?