Skip to main content

AIDE - Advanced Intrusion Detection Environment

Been testing my new Oracle Linux stack based on RHEL 5.3. We have a lot of problems with sysops and admins editing files to fix problems. Only recently we started using subversion for release management so we can check for specific versions and verify the (unmodifed) integrity on files. Subversion will also let those sysops and admins commit their changes back into subversion, so changes get documented, verified, discussed and distributed through bug fix releases.

However, OEL/RHEL 5 comes bundled with AIDE - Advanced Intrusion Detection Environment and I've started running tests on my test servers.

When you initialize the AIDE database as part of the final post installation steps, you run aide -i. This creates base reference database - aka snapshot - of all files that you use later on for any modifications. Using aide -u you update that db.

Small problem is that you may a lot of lgetfilecon_raw failed errors. In my case, this had to do SELinux being disabled and aide checking for it. Editing the /etc/aide.conf file and removing all references to selinux there, then reinitializing the database fixed that. Don't forget to copy the newly initialized db!

Comments

Popular posts from this blog

Preventing PuTTY timeouts

Just found a great tip to prevent timeouts of PuTTY sessions. I'm fine with timeouts by the host, but in our case the firewall kills sessions after 30 minutes of inactivity... When using PuTTY to ssh to your Linux/Unix servers, be sure to use the feature to send NULL packets to prevent a timeout. I've set it to once every 900 seconds, i.e. 15 minutes... See screenshot on the right.

Tuning the nscd name cache daemon

I've been playing a bit with the nscd now and want to share some tips related to tuning the nscd.conf file. To see how the DNS cache is doing, use nscd -g. nscd configuration: 0 server debug level 26m 57s server runtime 5 current number of threads 32 maximum number of threads 0 number of times clients had to wait yes paranoia mode enabled 3600 restart internal passwd cache: no cache is enabled [other zero output removed] group cache: no cache is enabled [other zero output removed] hosts cache: yes cache is enabled yes cache is persistent yes cache is shared 211 suggested size 216064 total data pool size 1144 used data pool size 3600 seconds time to live for positive entries 20 seconds time to live for negative entries 66254 cache hi...

Dell Linux - OMSA Hardware Monitoring

Just getting started using Dell's OpenManage Server Administrator (OMSA) on our Oracle Linux platform. There are some confusing instructions going around so it's not immediately clear what to do, hence my blogging here. :) There is a site on Dell - Hardware Monitoring , as well as a wiki with instruction on how to setup their OMSA tooling using yum or up2date. [update]My first update for their instructions: be sure your server has Internet access, as most servers will use a proxy or so. use export http_proxy=http://yourproxy.example.com:port to configure it just for the session, and setup up2date to use an HTTP proxy by editing the settings in /etc/sysconfig/rhn/up2date .