I was considering installing tripwire on a CentOS 5.1 install but I happened upon an article about 'aide' which also notifies the system admin about changes to core files (and thus possible intrusions) Of course any genuine newly installed software may also trigger differences in the aide database.
yum install aide
If not using SELinux then replace /etc/aide.conf with this conf file.
/usr/sbin/aide –init
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
/usr/sbin/aide –check
Create a cron job:
vi /etc/cron.weekly/aide_check.sh
#!/bin/bash
/usr/sbin/aide –check | /bin/mail -s "Hostname Weekly Aide Data" email@host.com
I got this info from this article.
If you get error messages such as:
File /usr/sbin/filename in databases has different attributes, 300000bbf,200000bbf
Check that you have the the correct aide.conf file and if you have run aide –init against that aide.conf that you have copied the aide.db.new.gz to aide.db.gz.
