[Aide] Reporting log files

Rick van Rein rick at openfortress.nl
Tue Feb 6 12:39:38 EET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello aide folk,

The /var/log issue is a good one -- I'm also hesitant what to do with it.
Daily reports about changes in /var/log do not really help me stay
focussed on everything that goes on in there.  Especially because Aide
only summarises the changes.  Any normal changes that can be suppressed
from Aide's output are quite welcome.

> I am currently unsure about how to solve this; any more relaxed rule
> would allow an attacker to place her root kit into the log directory.

This wouldn't be pleasant, but as stated elsewhere, it's virtually
impossible to track /tmp either.  Does that mean that we would not be
able, in general, to track root kit installations, and that we needn't
worry about root-writeable /var/log any more than we do about anybody-
writeable /tmp ?  (Of course I know there are many ways of getting
content into log files from network interfaces, but this hardly seems
exploitable.)

> And it is kind of beyond aide's scope to notice that mainlog.1 is the
> same file with its contents compressed to mainlog.2.gz.

But why?  I can imagine Aide to unpack certain files before testing them.
A simple name pattern match with /var/log/*.gz could suffice to trigger
this behaviour.


Finally, log files are not tested for their contents, but only for
growing size.  It sounds like childs play to install a root kit under
that little scrutiny -- just make a file large enough and overwrite
the logs that are in place.  (This'd assume the logs aren't monitored.)

Would it not be possible for Aide, since it records the previous
log file size, to verify checksums over the initial part of the
file comprising of the old size?  So the options for a growing
logfile could include S+md5+sha1 and the hashes would know, as a
result of the S option, that the old size is to be used to record
the previous bits.

Am I correct in understanding that...?
 - this is not currently possible with Aide
 - there are no current other semantics for S+md5 c.s.

The only thing that would be counter-intuitive about this approach
would be that it is meaningful to update the recorded Aide Database even
if the check reveals no changes -- because there are unnoticed changes
to the log files that might be processed to tighten the next check.


Cheers,

Rick van Rein
OpenFortress

P.S. I follow the daily digest of this list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: To understand digital signatures visit http://openfortress.nl

iD8DBQFFyFrqFBGpwol1RgYRAoAxAKCEckp4aoa9STJrtWBsCzzEgsOt0gCfRyqY
qJtD8wdz/YlpLar/6bfcUl0=
=q2QZ
-----END PGP SIGNATURE-----

More information about the Aide mailing list