[Aide] GPG checking support scripts

Vincent Danen vdanen at linsec.ca
Sat Jan 21 21:46:48 EET 2006 

Ok, I saw the gpg checking stuff in the contribs for AIDE but I don't
like them.  Having an encrypted database is well enough, and important I
think, but the problem is that using --batch with gpg you can't provide
a passphrase, so it looks like you need to have an empty passphrase
which, ultimately, offers no protection since the aide.db should be 0700
and owned by root, no one should be able to sneak a peek unless they're
root and if they're root already, using gpg to cover their tracks and/or
decrypt, modify, encrypt the db is trivial.

Although having encryption is good, I think more important is data
*validation*; ie. to make sure the db you have is the db you think you
have.  For that, you don't need it to be encrypted, you just need to
have a signature for it, something we can do with gpg too.  Unlike
encrypting, this way you can secure your key with a passphrase and
verify the signature without needing the passphrase, so you can have a
daily cron check.  You just have to make sure you verify the sig before
you run aide --check.

I've written two scripts, the first is /etc/cron.daily/aide which runs a
check every day.  It verifies the signature first if one exists (note
that with these scripts you can use them *without* using gpg if you
really want).

The second script updates the database.  A few caveats are required for
this... I have set both my database and database_out files to the same
url, namely /var/lib/aide/aide.db.  This causes a warning on a check,
but doesn't hurt because in aideupdate I use -B to set the database file
to the recently rotated/copied database (on each update, the current
aide.db gets moved to aide-hostname-date.db and gets compressed after
the update).  The aideupdate script also can use gpg to create the
detached signature and verifies it before doing the update.

(This was where the issue I raised earlier about the warning on database
vs. database_out came from)

Salt to taste and feel free to include them in the contrib part of the
aide package if you like.

FWIW, I'm looking to replace tripwire with AIDE in my Linux distro
Annvix (http://annvix.org) which is a secure Linux distro.  That's a)
why I'm spamming you and b) why I have so many questions (trying to
build a decent default aide.conf file to ship in the package).

Thanks very much for the work on AIDE, I'm really starting to like it
although changing the output a bit to make it a little easier to read
would be good (I have a patch for this, but for some reason it isn't
doing what I want... not quite sure why).

Anyways, these are the scripts that will be shipping in the Annvix aide
package (they may evolve a bit yet as I keep fiddling, but I think
they're basically complete for the most part right now).

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
#!/bin/sh
hostname=`uname -n`
echo "AIDE integrity check for ${hostname} beginning (`date`)"
echo ""
if [ ! -e /var/lib/aide/aide.db ] ; then
    echo "**** Error: AIDE database for ${hostname} not found."
    echo "**** Run 'aide --init' and move the appropriate database file."
else
    if [ -f /etc/aide.conf ]; then
        if [ -f /var/lib/aide/aide.db.sig ]; then
	    pushd /var/lib/aide >/dev/null
	        echo "Verifying the GPG signature on the database..."
		echo ""
	        gpg --verify aide.db.sig
		echo ""
		if [ "$?" == "1" ]; then
		    echo "************************************************************"
		    echo "GPG signature FAILED!  Your database has been tampered with!"
		    echo "************************************************************"
		    exit 1
		fi
	    popd >/dev/null
	fi
        nice -20 /usr/sbin/aide --check 2>/dev/null
    fi
fi

exit 0
-------------- next part --------------
#!/bin/sh
#
# script to update and rotate the AIDE database files and, optionally
# create a detached GPG signature to verify the database file
#
# written by Vincent Danen <vdanen-at-annvix.org> 01/21/2006

usegpg=0

if [ -f /root/.gnupg/secring.gpg ]; then
    usegpg=1
fi

if [ ! -d /var/lib/aide ]; then
    echo "The AIDE database directory /var/lib/aide does not exist!"
    exit 1
fi

pushd /var/lib/aide >/dev/null

# copy the old database
if [ -f aide.db ]; then
    newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db"
    if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then
        # do an integrity check
	gpg --verify aide.db.sig
	if [ "$?" == "1" ]; then
	    echo "************************************************************"
	    echo "GPG signature FAILED!  Your database has been tampered with!"
	    echo "************************************************************"
	    exit 1
	fi
    fi
    cp -av aide.db ${newfile} 
    /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}" 
    if [ "${usegpg}" == "1" ]; then
	# create the signature file
	[[ -f aide.db.sig ]] && rm -f aide.db.sig
        gpg --detach-sign aide.db
	if [ "$?" == "1" ]; then
	    echo "FATAL:  Error occurred when creating the signature file!"
	    exit 1
	fi
    fi
    gzip -9f ${newfile}
else
    echo "The AIDE database does not exist, can't update!"
    exit 1
fi

popd >/dev/null
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060121/b1850a28/attachment.bin

More information about the Aide mailing list