[Aide] aide 0.11 is generating a VERY large database.
Bob Hutchinson
hutchlists at midwales.com
Mon Feb 5 23:26:21 EET 2007
On Monday 05 February 2007 16:02, Marc Haber wrote:
> On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > !/var/log/messages(.[0-9])?(.gz)?
> > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > !/var/log/kern.log(.[0-9])?(.gz)?
>
> So your attacker places her root kit in
> /var/log/messages.9999999999999 and you won't notice.
you got me bang to rights guvnor!
did (as root)
touch /var/log/messages.9999999999999
/etc/cron.hourly/aide
nada ;-(
mind you, I would not be able to create a file in /var/log as anybody other
than root.
tried
su www-data
touch /var/log/messages.8888888888
touch: cannot touch `/var/log/messages.8888888888': Permission denied
but /tmp would be another matter.
In practice I have found that setting wget and curl to chmod 700 has stopped
several attempts, reported in logcheck and I have been able to identify which
customer's leaky script was responsible for the unsuccessful attempt to wget
something into /tmp. This could also be done in iptables by denying http
fetch, but I do (as root) fetch stuff such as clamav and there is apt-get to
consider as well.
Ideally /tmp should have it's own partition and be set to noexec in /etc/fstab
and *BSD boxes are, but in practice most of the boxes I tend were not set up
by me and I have to work with what I find.
anyway,
so how to improve?
assuming (for the sake of argument)
messages
messages.0
messages.1.gz
etc up to a possible max of messages.59.gz
ideas welcome.
--
-----------------
Bob Hutchinson
Midwales dot com
-----------------
More information about the Aide
mailing list