[Aide] Reporting log files
Pablo Virolainen
pablo at vapaa.fi
Wed Mar 28 10:15:03 EEST 2007
On Sun, 18 Mar 2007, Marc Haber wrote:
> > > And it is kind of beyond aide's scope to notice that mainlog.1 is the
> > > same file with its contents compressed to mainlog.2.gz.
> >
> > But why? I can imagine Aide to unpack certain files before testing them.
> > A simple name pattern match with /var/log/*.gz could suffice to trigger
> > this behaviour.
>
> Nice idea. This is now wishlist request 1683253 in the aide feature
> request tracker. If you have things to add to my report, please do so.
Actually this is quite easy to implement... It would mean that our
database would have more columns... gunzipped size hand hash values.
> > Finally, log files are not tested for their contents, but only for
> > growing size. It sounds like childs play to install a root kit under
> > that little scrutiny -- just make a file large enough and overwrite
> > the logs that are in place. (This'd assume the logs aren't monitored.)
> >
> > Would it not be possible for Aide, since it records the previous
> > log file size, to verify checksums over the initial part of the
> > file comprising of the old size? So the options for a growing
> > logfile could include S+md5+sha1 and the hashes would know, as a
> > result of the S option, that the old size is to be used to record
> > the previous bits.
>
> Nice idea. wishlist request 1683255 in the aide feature request
> tracker. Again, if I omitted something, please add there.
This is not so easy. Actually this can't be implemented without knowing
the original size (read from the database). So running init and then
compare would be different than running update. I know that some of you
don't want to run update (because it can leak some information to the
attacker).
Pablo
More information about the Aide
mailing list