 And you already have the network or the host-based intrusion detection system in your Linux environment. Once again, welcome to FOS Asia 2016 Singapore. Now, we have one agenda for this for today. And I'm not gonna be wasting much of your time deploying this one. It's very easy. And according to the Verizon's 2015 cyber report, this is where the attacks are coming from. And we all know that in any security, the weakest link is us. And I don't know where the social engineering would fall under that one, maybe on the miscellaneous or the privileged misuse, which is 10.6%. And it's very important to have this kind of solution in our environment, especially on Linux side. If we would much rely on the firewall, on the network-based intrusion detection system, what if the bridge has been escalated inside? Or I would say that if you have a flat network that anybody who was a hacking knowledge could penetrate your environment, especially on the production, maybe financial system or not. And as what I've told you, it's very simple. I made it very simple for you guys. So the problem with us is when we see any solution that when we saw the how-to's or the steps, some of us may get into the lazy mode. So this one is very practical and in just less than five minutes as what I've told you earlier, you're done. Okay, aid is not a network intrusion detection system, meaning it's more unpassive rather than an active. So that's why it's not a real-time detection. But as you all know that for us in the Linux administration, it's very easy to put in a cron, scheduled every minute, every hour, whatever you want to run the system and send email to you. It's not a rootkit hunter, a malware detection program. It's not a antivirus. This is just, this is the command. No more, no less. And I have made a recorder. I recorded this one, so I would not be wasting much of your time because I know that you're tired and maybe sleepy or something. So I have recorded this one in my VMware. So this one you could skip this one, the pre-linking because when I deploy this one to other environment, the pre-linking is just showing. But you could totally ignore this one. Okay? And first things first, if you're connected to the internet, as simple as yum. And that's it. It will not take you around two minutes. Okay? So this one is already installed, so that's why it's showing. But after this one, just two minutes or less. Initialize. This is the first step that after the installation that you may need to do. Okay? To initialize the aid, the database. And this is the main directory of the aid in the varlib aid. After the initialization, you would see that there's a database has been initialized. But the problem is this file name, the aid does not recognize it. So we need to rename it. Okay? And what's the name? You will see it. So that's the name. You just put it out, that new. Okay? And that's it. You already have the database for your aid. And then we need to check if the database looks okay. So it looks okay. No problem at all. Because it's just very straightforward. Install, initialize, rename the database name that the aid would be readable. And then update. Okay? So that db.new will not be recognized. So you could delete that one or rename it to without that new. And then as what I've told you earlier, we could schedule the task on the cron. So whichever you want to, what time do you want to run? And if you want to set the email that it would automatically send into your email for reporting, send. You could put that in the cron. Even using the tripwire, tripwire is the commercial base of aid. Okay? But it's not cheap. The cool is good, but it's not cheap. Okay? This one is the free version. And it's similarly working same thing. Okay? File integrity check. So whenever the intruder check the file or put a new password, created a new user, it will detect. And it will send an email. Okay? So that's the installation and putting up in the cron. And to demonstrate it to you, what exactly does it do is this. Now, this is the aid configuration file. If you will see, there's already that one that's being highlighted. If you want to tweak it or create your own file, you must not remove that one. You should copy and paste to that new file. And as best practices, create a copy of the original configuration file. Just in case something goes wrong, there's a backup solution or revert. Okay? And this is the default rules. PLNI, which permission, I know this has been changed, number of links, user has been changed, group size. And the FIPSR is just a codename. Actually, you can put your name and then the letters that have been the rule. So this one normally equals to which is the FIPSR and the SHA 512, which is on above. And I've made my own rule under the everything that would change. Okay? Everything that would change on these files, the Etsy PassWD, the SudoWords, slash 8.conf, if somebody knows how to to change this one or modify this one, so at least you could determine and trace. Okay? This one is just for demonstration, the home test. Okay? So I just did this one, my rule. Okay? And later I'll show it to you in the actual configuration. Okay? So assuming that this file is not yet printed. Okay? The test and the sample. So it will show you later that report, it will show you that a file from the slash home test has been created. Okay? And also the sample. So I put a comment on the sample file and I've changed it. So just to POC proof of concept of what is this is doing and what trip wire is doing. It's just very similar. Okay? After this one you could check the trip wire, you could ask for rotation and ask them for how much versus the FOSS and change the ownership. And I have changed the file also for the 8.conf. So let's see if it will be detected and this is the file to check. Actually 80s, just executing the 80s should be fine. Okay? So it has detected some files that has been changed. Okay? It says that the home sample has been added and also the test. And there is one file that has been changed. I assume that would be the 8.conf. Okay? So and this is the one that has been changed. The permission has been changed. What time? Access time and the change time. So that's how 8 is working. So it's very simple. That's it. We just installed it earlier. We just initialized. We changed the database name and we POC some changes then it's already detected. Okay? It's very easy. So the Etsy possibility has been changed also. If you would see the hash. Okay? So it's quite easy. And after the update, the change file has been reported as 3. Okay? Which is this one. Now just for the advice do not assume anything that is everything is secured. Do not rely on the network intrusion detection system the firewall that we have in the company trust no one. Okay? That's the problem that we have under the social engineering. Okay? So paranoia is your friend. Always think that is my system secured? Okay? We don't stop on after this one, after deploying this one, we don't stop there. Okay? We always, there's a different ways we need to lock down our system using IP tables as a Linux and whatever security that we have. Okay? But some are not some are not free. Okay? Question. Any question regarding this one? This is just the steps. Okay? Question. Yes, please. Is it available at the for the raspberry, high speed? Could be, I mean there's one, because I saw some obunto also for this one. So maybe the for the raspberry could be have. Right? Yes, please. How does it compare to OSS Sack? OSS Sack is also a five integrity checker. So I haven't, honestly I haven't checked that one because the one that I deployed and after this one I asked the InfoSack guy to we are paying so much every year for the tripwire so we have changed to this one but the OSS Sack I haven't tried it yet. Yeah. Another question. So it's very simple. Okay? No need for training or whatsoever. The tripwire if you will see that they have the five days training. Three days for the operators training and two days for the management training. How to manage the tripwire itself because you need to install so many things. Okay? If it is if your system is open for SOX audit PCI DSS and otherwise ISMS certification. So you need to install that one. Okay? If you run if you run the the openscap it will be detected if you install this one. The aid. The aid, tripwire and other I think OSS Sack I saw it there. Yeah. If there's no question so thank you so much for your time and okay. You could approach me if you have any other question.