[Aide] aide 0.11 is generating a VERY large database.

Eric Webster ewebster at 2co.com
Tue Feb 6 15:55:08 EET 2007 

Make your rules as specific as possible. For the messages example, I'd say
something like...

!/var/log/messages(\.[0-9](\.gz)?)?$
!/var/log/messages\.[0-5][0-9](\.gz)?$

Those should cover your requests...

> messages
> messages.0
> messages.1.gz
> etc up to a possible max of messages.59.gz

Eric Webster
Enterprise Services
2CheckOut.com 

 

> -----Original Message-----
> From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] 
> On Behalf Of Bob Hutchinson
> Sent: Monday, February 05, 2007 4:26 PM
> To: aide at cs.tut.fi
> Subject: Re: [Aide] aide 0.11 is generating a VERY large database.
> 
> On Monday 05 February 2007 16:02, Marc Haber wrote:
> > On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > > !/var/log/messages(.[0-9])?(.gz)?
> > > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > > !/var/log/kern.log(.[0-9])?(.gz)?
> >
> > So your attacker places her root kit in
> > /var/log/messages.9999999999999 and you won't notice.
> 
> you got me bang to rights guvnor!
> 
> did (as root)
> touch /var/log/messages.9999999999999
> /etc/cron.hourly/aide
> 
> nada ;-(
> 
> mind you, I would not be able to create a file in /var/log as 
> anybody other 
> than root.
> tried
> su www-data
> touch /var/log/messages.8888888888
> touch: cannot touch `/var/log/messages.8888888888': Permission denied
> 
> but /tmp would be another matter.
> 
> In practice I have found that setting wget and curl to chmod 
> 700 has stopped 
> several attempts, reported in logcheck and I have been able 
> to identify which 
> customer's leaky script was responsible for the unsuccessful 
> attempt to wget 
> something into /tmp. This could also be done in iptables by 
> denying http 
> fetch, but I do (as root) fetch stuff such as clamav and 
> there is apt-get to 
> consider as well.
> 
> Ideally /tmp should have it's own partition and be set to 
> noexec in /etc/fstab 
> and *BSD boxes are, but in practice most of the boxes I tend 
> were not set up 
> by me and I have to work with what I find.
> 
> anyway,
> so how to improve?
> assuming (for the sake of argument)
> 
> messages
> messages.0
> messages.1.gz
> etc up to a possible max of messages.59.gz
> 
> ideas welcome.
> 
> -- 
> -----------------
> Bob Hutchinson
> Midwales dot com
> -----------------
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>

More information about the Aide mailing list