[Aide] "May not be a directory"

Marc Haber mh+aide at zugschlus.de
Sat Dec 10 15:35:26 EET 2005 

On Fri, Dec 09, 2005 at 02:32:06PM +0200, Virolainen Pablo wrote:
> On Fri, 9 Dec 2005, Marc Haber wrote:
> > the aide documentation says in many places that if somebody excludes a
> > file mask (such as /var/log/syslog.[0-9]+), a bad guy might create a
> > directory /var/log/syslog.999 to hide his rootkit without being
> > detected by aide.
> >
> > _This_ could easily be remedied by having a directive that says
> > "ignore any files that match this regexp, but list any directories
> > that match this regexp".
> >
> > How about implementing this in aide?
> 
> Well. I don't have any idea. This leads (again) discussion about file 
> attributes to refine matching rules.

Yes, that approach is more general indeed.

> So it would be possible to say that 
> this rule matches only to files/directories. If so, should 'file' 
> understand something not a file?

IMO, if this is implemented, it probably should support all kinds of
inode type (file, directory, link, socket, block special, character
special come to mind). aide would have to worry about combinations as
well, so that it is possible to express things like "it is ok to have
/var/foo either a plain file or a symbolic link, but not a directory".

> Negative rules were designed to exclude proc (and known nfs mounts). For 
> that it works just fine.

I am actually wondering about selection rules that should apply for
files, but not for directories. Like "ignore any new
/var/log/syslog.foo as long as it is a plain file".

> So one would have rule to match only to files
> !/var/log/syslog.[0-9]+ p file
> and if I want to match only to directories
> !/var/log/syslog.[0-9]+ p dir

Or:

/var/log/syslog/(syslog|auth\.log)-[0-9]{8}\.gz$ RotatedLogs+ANF file

(please not that this is not a negative rule)

> (yes... I know that the file/dir could be expressed like normal p+file, 
> but later on we might want to add these rule matching attribures, and 
> we are running out of bits in our 'normal' attributes)

So expanding that bitfield is work for aide 0.12 ;)

> The problem about this approach is that we need to stat the entry before 
> include/exclude decision can be made. This might be problematic with 
> jammed nfs mounts.

Personally, I find it a bad idea to have aide running over remote file
systems. Shouldn't these file systems be checked on the server?

> ps. I'm not saying we shouldn't implement this. I just couldn't imagine 
> someone would want to use negative rules in such way.

I am known for having exotic, but useful ideas ;)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Aide mailing list