[Aide] aide 0.11 is generating a VERY large database.

Bob Hutchinson hutchlists at midwales.com
Tue Feb 6 18:11:50 EET 2007 

On Tuesday 06 February 2007 13:55, Eric Webster wrote:
> Make your rules as specific as possible. For the messages example, I'd say
> something like...
>
> !/var/log/messages(\.[0-9](\.gz)?)?$
> !/var/log/messages\.[0-5][0-9](\.gz)?$
>
> Those should cover your requests...

excellent!

it caught the dummy
Added files:
added:/var/log/messages.9999999999999

many thanks, I will apply this to all the logfiles and see how it goes.

Examples like this are a great help in getting to grips with unix regex

>
> > messages
> > messages.0
> > messages.1.gz
> > etc up to a possible max of messages.59.gz
>
> Eric Webster
> Enterprise Services
> 2CheckOut.com
>
> > -----Original Message-----
> > From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi]
> > On Behalf Of Bob Hutchinson
> > Sent: Monday, February 05, 2007 4:26 PM
> > To: aide at cs.tut.fi
> > Subject: Re: [Aide] aide 0.11 is generating a VERY large database.
> >
> > On Monday 05 February 2007 16:02, Marc Haber wrote:
> > > On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > > > !/var/log/messages(.[0-9])?(.gz)?
> > > > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > > > !/var/log/kern.log(.[0-9])?(.gz)?
> > >
> > > So your attacker places her root kit in
> > > /var/log/messages.9999999999999 and you won't notice.
> >
> > you got me bang to rights guvnor!
> >
> > did (as root)
> > touch /var/log/messages.9999999999999
> > /etc/cron.hourly/aide
> >
> > nada ;-(
> >
> > mind you, I would not be able to create a file in /var/log as
> > anybody other
> > than root.
> > tried
> > su www-data
> > touch /var/log/messages.8888888888
> > touch: cannot touch `/var/log/messages.8888888888': Permission denied
> >
> > but /tmp would be another matter.
> >
> > In practice I have found that setting wget and curl to chmod
> > 700 has stopped
> > several attempts, reported in logcheck and I have been able
> > to identify which
> > customer's leaky script was responsible for the unsuccessful
> > attempt to wget
> > something into /tmp. This could also be done in iptables by
> > denying http
> > fetch, but I do (as root) fetch stuff such as clamav and
> > there is apt-get to
> > consider as well.
> >
> > Ideally /tmp should have it's own partition and be set to
> > noexec in /etc/fstab
> > and *BSD boxes are, but in practice most of the boxes I tend
> > were not set up
> > by me and I have to work with what I find.
> >
> > anyway,
> > so how to improve?
> > assuming (for the sake of argument)
> >
> > messages
> > messages.0
> > messages.1.gz
> > etc up to a possible max of messages.59.gz
> >
> > ideas welcome.
> >
> > --
> > -----------------
> > Bob Hutchinson
> > Midwales dot com
> > -----------------
> > _______________________________________________
> > Aide mailing list
> > Aide at cs.tut.fi
> > https://mailman.cs.tut.fi/mailman/listinfo/aide
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------

More information about the Aide mailing list