AIDE/Tripwire (was: Re: was there an advertised ETA for the next beta?)

[Michael Schwendt]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 11 Aug 2003 17:40:07 -0500, Kyle Maxwell wrote:

> I'd really like to see Tripwire (or AIDE) back in. I think a host-based
> IDS like this with a reasonable default would be a nice addition. I
> understand that it was yanked due to developer resource constraints, but
> maybe this is where the community involvement comes in.

Packaging mhash and AIDE wouldn't be a problem. 

But what is your experience with AIDE? I have it on my watch-list for
some time, as a replacement for Tripwire (which doesn't seem to be
actively maintained for a long time, last release March 3rd, 2001).
Based on my first try and various reports on the net (e.g. Debian's), I
think AIDE has quite some bugs and there may be more sleeping ones.
IIRC, I also tried a rebuilt rpm from Mandrake Contrib and got
unexpected errors upon running "aide -check" (I think, open_dir() failed
on lots of files below /usr/share). Additionally, the Debian package
includes several fixes as well as helper scripts in several languages.
Raises the question, how much package enhancement would be desired? And
what helper scripts would the average user want/need?

Concerning Tripwire, if it still compiles, probably the most work would
go into creating a default policy file that covers all or at least the
most important parts of the distribution. I don't know how Red Hat have
created the default file, but it *might* be an idea to automate it based
on the files listed in rpmdb-redhat.

- -- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/OHoP0iMVcrivHFQRAgILAJ9c31KLCIFHj3ZpJS+oAmW+lXxNQACeI0Bv
P42xZqvHbVZpsIgd1l52UNY=
=T0A6
-----END PGP SIGNATURE-----