[Aide] aide 0.11 is generating a VERY large database.

[Bob Hutchinson]

On Monday 05 February 2007 16:02, Marc Haber wrote:
> On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > !/var/log/messages(.[0-9])?(.gz)?
> > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > !/var/log/kern.log(.[0-9])?(.gz)?
>
> So your attacker places her root kit in
> /var/log/messages.9999999999999 and you won't notice.

you got me bang to rights guvnor!

did (as root)
touch /var/log/messages.9999999999999
/etc/cron.hourly/aide

nada ;-(

mind you, I would not be able to create a file in /var/log as anybody other 
than root.
tried
su www-data
touch /var/log/messages.8888888888
touch: cannot touch `/var/log/messages.8888888888': Permission denied

but /tmp would be another matter.

In practice I have found that setting wget and curl to chmod 700 has stopped 
several attempts, reported in logcheck and I have been able to identify which 
customer's leaky script was responsible for the unsuccessful attempt to wget 
something into /tmp. This could also be done in iptables by denying http 
fetch, but I do (as root) fetch stuff such as clamav and there is apt-get to 
consider as well.

Ideally /tmp should have it's own partition and be set to noexec in /etc/fstab 
and *BSD boxes are, but in practice most of the boxes I tend were not set up 
by me and I have to work with what I find.

anyway,
so how to improve?
assuming (for the sake of argument)

messages
messages.0
messages.1.gz
etc up to a possible max of messages.59.gz

ideas welcome.

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------