Comments on: CentOS 5 and aide

By: toro

toro — Tue, 25 May 2010 22:17:25 +0000

how to disable prelink on centos is described here:

http://www.linuxquestions.org/questions/linux-security-4/aide-prelink-issues-584646/

By: seo

seo — Thu, 11 Mar 2010 14:58:39 +0000

I agree with the prelinking. For the cron job, don’t forget to check whether ‘root’ can execute the job. Also, is it possible to just get the changes in the email and not the entire database?

By: Ceejay

Ceejay — Thu, 24 Sep 2009 07:30:16 +0000

I agree with Tomas Rudén. Prelink creates a lot of false alarms.

By: Anon

Anon — Wed, 26 Aug 2009 21:56:02 +0000

Just change the cron location from weekly to daily, as well as the text of the con script

By: Annand

Annand — Mon, 24 Aug 2009 14:36:02 +0000

Great article. I am trying it out. How can I set it to get daily emails instead of weekly?

By: Tomas Rudén

Tomas Rudén — Thu, 14 May 2009 09:15:52 +0000

It is worth mentioning that Aide doesn’t work well together with prelink. Since prelink modifies several bins and libs on a regular basis you will get a lot of false alarms that you have to check.

I have decided to turn off prelink but I’m curious to know if there are other solutions.

By: Jim Perrin

Jim Perrin — Tue, 13 Jan 2009 18:50:11 +0000

Aide is updating the database, however it’s a little unclear by default exactly what’s going on. You don’t need to worry about database_new. It’s database_out that’s messing with you here.

When you run aide –update, it generates a new aide.db.new.gz file, and compares it against aide.db.gz, just like –check does. The catch is that it’s aide.db.gz that’s used for validation. You must manually move the aide.db.new.gz to aide.db.gz after you update. Setting database_new won’t change this, and aide –update will throw a fit if database and database_out have the same values. This is tricky to most folks, and caught me off guard at first until I noticed the timestamps on the file changing when I was screaming at –update

By: brian

brian — Sat, 10 Jan 2009 00:17:36 +0000

Great article, found it just as I was going to install tripwire.

I’m running into an issue though… I cannot get –update to update the database. It just complains that it found some changes. My config file contains both the “database” and the “database_new” parameters.

What am I missing? Thanks

By: Jon Norwood

Jon Norwood — Wed, 31 Dec 2008 19:24:37 +0000

Thanks for this article – you saved me a ton of time!

By: jeffatrackaid

jeffatrackaid — Sun, 04 May 2008 23:57:17 +0000

1. Don’t forget /dev/shm. I make it noexec,nosuid as well.

3. Chkrootkit is good but I also like rkhunter
http://www.rootkit.nl/

5. PHP: Disable functions. I disable some functions in PHP when possible. Especially things like exec, system, etc.

6. wget/curl/fetch tools. When possible we set these to 700 and owned by root. If end-users need wget I create a “uwget”. This prevents many of the bot-type attacks. Not great but helpful on shared hosting boxes with 100′s of sites managed by the end users.