[Aide] Reading AIDE database from a URL?

Osmo Paananen odie at cs.tut.fi
Fri Mar 31 18:34:05 EEST 2006


Hi!

I tried to search ssh manual pages, but I didn't see anything about this... 

I put the following line into ./ssh/authorized_keys
no-agent-forwarding,no-X11-forwarding,no-port-forwarding,from="hostname.domain",command="/usr/bin/nice /opt/local/bin/sudo /sbin/aide -c - --init -B report_url=stderr -B database_out=stdout"  <insert-key-here> 

I know that it has worked on some versions of openssh, haven't checked
whether it's still supported.

The idea is that when someone connects with that specific key, ssh
executes command=""  directly and doesn't open shell for that
connection. 




On Wed, 2006-03-29 at 08:14 +0200, Christoph.Ehret at swisscom.com wrote:
> Sounds very interesting. I also try to do something like your solution
> for our team where we have more than 200 Linux Servers to administer.
> One point is not clear in your description, namely point 3) : I never
> heard of this, how do you do it ?
> 
>  
> 
> -----Original Message-----
> From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf
> Of Osmo Paananen
> Sent: Tuesday, March 28, 2006 7:45 AM
> To: Aide user mailinglist
> Subject: Re: [Aide] Reading AIDE database from a URL?
> 
> Hi!
> 
> As others are sharing how they have been running aide, here is one more
> version.
> 
> 1) configuration and db's are stored at central server (piped via ssh)
> 2) master connects using ssh which uses public key authentication
> 3) public key mandates that only command which can be run is sudo aide
> --init
> 4) master server compares the new and the old db
> 5) aide database & config signing are used to make it harder 
> for potential intruder to modify aide binary on client machines 
> to ignore attacker specified files
> 6) aide binary is not copied from the master server, because if 
> the master server were compromised it would enable the attacker 
> to execute code of his choice on the clients 
> 7) there is a web interface from which you can see the reports and
> modify
> configuration files and create new accounts for the web (etc)
> 8) old databases are stored as patches to the original 
> (newest is stored also in non-patch format)
> 
> 
> I have been thinking of releasing this code in gpl. The framework is far
> from
> perfect so I don't know whether a total rewrite would be easier.
> 
> Releasing the code in gpl is hard because I have no idea whose
> permission I would need from my organization.
> 
> Perhaps someone has already done something similar which is released to
> public.
> 
> On Wed, 2006-03-22 at 06:55 -0600, David Theilen wrote:
> > I approach this a little differently.  I start with a master system
> > controling the activity, I assume I can't trust the remote servers.
> > 
> > I store a conf and database for each remote server.
> > The master does an scp to get the aide  conf, database file
> > and also the aide binary to the remote. 
> > Then I use ssh to initiate aide on the remote.
> > 
> > The master has an init script that stores the conf and database
> > specific for a remote whenever a new init is needed for a remote.
> > 
> > 
> > Alex Greg wrote:
> > 
> > >I've been looking at AIDE over the past few days, with a view to
> > >rolling it out on over 60 Linux servers. So far, it's looking much
> > >better than Tripwire, from both an installation and performance point
> > >of view.
> > >
> > >The only problem I have with AIDE is that the database is stored in
> > >plain-text, which means if an attacker gains root access on one of
> the
> > >boxes, they can simply change the database. I can't feasibly store
> the
> > >database on read-only media such as floppies/CD's for obvious reasons
> > >(60+ floppies/CD's in 60+ servers...?)
> > >
> > >I noticed that AIDE supports reading the database from a remote
> server
> > >using PostgreSQL, which is useful. However, what would really be
> ideal
> > >for us would be to store the database for each machine on an internal
> > >HTTP server, and configure AIDE to validate against that.
> > >
> > >Is HTTP support for reading the database planned, or does anyone know
> > >of a patch? Also, if there are any other suggestions, please let me
> > >know!
> > >
> > >
> > >Thanks,
> > >
> > >
> > >-- Alex
> > >_______________________________________________
> > >Aide mailing list
> > >Aide at cs.tut.fi
> > >https://mailman.cs.tut.fi/mailman/listinfo/aide
> > >  
> > >
> > 
> > _______________________________________________
> > Aide mailing list
> > Aide at cs.tut.fi
> > https://mailman.cs.tut.fi/mailman/listinfo/aide
> 
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide



More information about the Aide mailing list