[Aide] aide 0.11 is generating a VERY large database.

Marc Haber mh+aide at zugschlus.de
Wed Feb 7 17:32:41 EET 2007


On Mon, Feb 05, 2007 at 09:26:21PM +0000, Bob Hutchinson wrote:
> On Monday 05 February 2007 16:02, Marc Haber wrote:
> > On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote:
> > > !/var/log/messages(.[0-9])?(.gz)?
> > > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
> > > !/var/log/kern.log(.[0-9])?(.gz)?
> >
> > So your attacker places her root kit in
> > /var/log/messages.9999999999999 and you won't notice.
> 
> you got me bang to rights guvnor!
> 
> did (as root)
> touch /var/log/messages.9999999999999
> /etc/cron.hourly/aide
> 
> nada ;-(
> 
> mind you, I would not be able to create a file in /var/log as anybody other 
> than root.

Yes. A root kit is a kit to stay root after becoming root. When you
are looking for a place to dump a root kit, you are usually root
already.

> In practice I have found that setting wget and curl to chmod 700 has stopped 
> several attempts,

I tend to uninstall unneeded tools in their entirety. But, that's only
going to stop lazy or clueless attackers.

On Debian systems, debfoster is a big helper.

>  reported in logcheck and I have been able to identify which 
>  customer's leaky script was responsible for the unsuccessful attempt
>  to wget something into /tmp. This could also be done in iptables by
>  denying http fetch,

Yes, firewalling outgoing connections is generally a good idea.

>  but I do (as root) fetch stuff such as clamav and there is apt-get to
>  consider as well.

clamav and apt-get are only fetching from a rather short list of
known systems, so it could be allowed to make http connections only to
a system on that list. If you want to be really secure, have a script
that opens the packet filter, does the update and closes the filter
again. And think about having the packet filter on a different system.

> Ideally /tmp should have it's own partition and be set to noexec in
> /etc/fstab and *BSD boxes are, but in practice most of the boxes I
> tend were not set up by me and I have to work with what I find.

When I tried last, noexec was trivially to dodge.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


More information about the Aide mailing list