[Aide] aide 0.11 is generating a VERY large database.
Eric Webster
ewebster at 2co.com
Tue Feb 6 15:55:08 EET 2007
Make your rules as specific as possible. For the messages example, I'd say
something like...
!/var/log/messages(\.[0-9](\.gz)?)?$
!/var/log/messages\.[0-5][0-9](\.gz)?$
Those should cover your requests...
> messages
> messages.0
> messages.1.gz
> etc up to a possible max of messages.59.gz
Eric Webster
Enterprise Services
2CheckOut.com
> -----Original Message-----
> From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi]
> On Behalf Of Bob Hutchinson
> Sent: Monday, February 05, 2007 4:26 PM
> To: aide at cs.tut.fi
> Subject: Re: [Aide] aide 0.11 is generating a VERY large database.
>
> On Monday 05 February 2007 16:02, Marc Haber wrote:
> > On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > > !/var/log/messages(.[0-9])?(.gz)?
> > > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > > !/var/log/kern.log(.[0-9])?(.gz)?
> >
> > So your attacker places her root kit in
> > /var/log/messages.9999999999999 and you won't notice.
>
> you got me bang to rights guvnor!
>
> did (as root)
> touch /var/log/messages.9999999999999
> /etc/cron.hourly/aide
>
> nada ;-(
>
> mind you, I would not be able to create a file in /var/log as
> anybody other
> than root.
> tried
> su www-data
> touch /var/log/messages.8888888888
> touch: cannot touch `/var/log/messages.8888888888': Permission denied
>
> but /tmp would be another matter.
>
> In practice I have found that setting wget and curl to chmod
> 700 has stopped
> several attempts, reported in logcheck and I have been able
> to identify which
> customer's leaky script was responsible for the unsuccessful
> attempt to wget
> something into /tmp. This could also be done in iptables by
> denying http
> fetch, but I do (as root) fetch stuff such as clamav and
> there is apt-get to
> consider as well.
>
> Ideally /tmp should have it's own partition and be set to
> noexec in /etc/fstab
> and *BSD boxes are, but in practice most of the boxes I tend
> were not set up
> by me and I have to work with what I find.
>
> anyway,
> so how to improve?
> assuming (for the sake of argument)
>
> messages
> messages.0
> messages.1.gz
> etc up to a possible max of messages.59.gz
>
> ideas welcome.
>
> --
> -----------------
> Bob Hutchinson
> Midwales dot com
> -----------------
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
More information about the Aide
mailing list