[Aide] "May not be a directory"
Virolainen Pablo
pablo at cs.tut.fi
Fri Dec 9 14:32:06 EET 2005
On Fri, 9 Dec 2005, Marc Haber wrote:
> Hi,
>
> the aide documentation says in many places that if somebody excludes a
> file mask (such as /var/log/syslog.[0-9]+), a bad guy might create a
> directory /var/log/syslog.999 to hide his rootkit without being
> detected by aide.
>
> _This_ could easily be remedied by having a directive that says
> "ignore any files that match this regexp, but list any directories
> that match this regexp".
>
> How about implementing this in aide?
Well. I don't have any idea. This leads (again) discussion about file
attributes to refine matching rules. So it would be possible to say that
this rule matches only to files/directories. If so, should 'file'
understand something not a file?
Negative rules were designed to exclude proc (and known nfs mounts). For
that it works just fine.
So one would have rule to match only to files
!/var/log/syslog.[0-9]+ p file
and if I want to match only to directories
!/var/log/syslog.[0-9]+ p dir
(yes... I know that the file/dir could be expressed like normal p+file,
but later on we might want to add these rule matching attribures, and
we are running out of bits in our 'normal' attributes)
The problem about this approach is that we need to stat the entry before
include/exclude decision can be made. This might be problematic with
jammed nfs mounts.
ps. I'm not saying we shouldn't implement this. I just couldn't imagine
someone would want to use negative rules in such way.
Duke NEMO / C.O.M.A
alias pablo the pallo virolainen
More information about the Aide
mailing list