Re: aide, apt-get and remote management...
Would you mind charing some of the scripting involved? Joh On Wed, 10 Dec 2003 23:26:21 -0500 Peter Solodov [EMAIL PROTECTED] wrote: On 10 Dec 2003, Douglas F. Calvert wrote: With all the recent discussions about debsigs and file integrity I have been trying to figure out the best way to deal with apt-get uprgades on remote machines with aide running. Does anyone have a good system for the management of the aide database and system upgrades? Or just any good aide tips would be nice as well. Here's how I do that. I have a tightly secured well-protected machine. It holds file integrity databases. Every night it runs AIDE on a bunch of remote machines (AIDE binary is uploaded, then signatures are collected and output is shipped back to the secure machine). AIDE reports are generated on the machine that initiated the check. Nothing on a remote machine indicates signatures are collected. That's the file integrity part. As for upgrades and updates, I never install anything automatically, but I have a cron job which checks if updates are available. And if there are, I would log on to a machine and install new packages myself. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Sunday, 2004-01-18 at 13:22:27 -0800, Johannes Graumann wrote: Hello, Where are the options below from? I run aide 0.10, which is according to the sourceforge site the current one and it doesn't like it. Also as someone else mentioned: http://www.cs.tut.fi/~rammer/aide.html says Future plans: ... Encrypted and signed database. They are in the Debian source package. I haven't gotten around to investigating how they work, though. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Sunday, 2004-01-18 at 13:22:27 -0800, Johannes Graumann wrote: Hello, Where are the options below from? I run aide 0.10, which is according to the sourceforge site the current one and it doesn't like it. Also as someone else mentioned: http://www.cs.tut.fi/~rammer/aide.html says Future plans: ... Encrypted and signed database. They are in the Debian source package. I haven't gotten around to investigating how they work, though. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: aide, apt-get and remote management...
Hello, Where are the options below from? I run aide 0.10, which is according to the sourceforge site the current one and it doesn't like it. Also as someone else mentioned: http://www.cs.tut.fi/~rammer/aide.html says Future plans: ... Encrypted and signed database. Joh On Fri, 12 Dec 2003 12:39:49 +0100 Adam ENDRODI [EMAIL PROTECTED] wrote: On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to thank everybody for their great input. It was very useful to see your responses. I guess the recent rootings have made us all a little more careful. Take care, Peter - -- Dipl.-Ing. Peter Burgstaller Technical Director @ all information network services gmbh email: [EMAIL PROTECTED] phone: +43 662 452335 fax : +43 662 452335 90 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/cHbMACgkQezyUhHKdNXSmbACggFX9Lf8NKRYInDG7CDgMDT78 NTIAnAxIrmcGUyyjmYEDZo6DS2QuJRfo =v37l -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Friday, 2003-12-12 at 12:39:49 +0100, Adam ENDRODI wrote: On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. Well, I went by what is said on the website http://www.cs.tut.fi/~rammer/aide.html Future plans ... o Encrypted and signed database Before I start investigating this and spend a lot of time I don't have, can you explain what Aide does when I use those configure options? BTW, the Debian package does not use them. There is no bug filed about this. Should we? bit, That's a miss on my acronym cache. Please expand ;-) Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Friday, 2003-12-12 at 12:39:49 +0100, Adam ENDRODI wrote: On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. Well, I went by what is said on the website http://www.cs.tut.fi/~rammer/aide.html Future plans ... o Encrypted and signed database Before I start investigating this and spend a lot of time I don't have, can you explain what Aide does when I use those configure options? BTW, the Debian package does not use them. There is no bug filed about this. Should we? bit, That's a miss on my acronym cache. Please expand ;-) Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: aide, apt-get and remote management...
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
Hello!
We don't use AIDE exclusively at a client site, but in combination
with Tripwire. We think tripwire is a little more secure becuse it
uses signed databases. So we protect aide.db with Tripwire. AIDE is
used for the parts tripwire can't do because of it's limited
configurability.
Here is an AIDE policy we use at the client site:
=/root$ StaticDir
/root/.bash_history Databases
/root/.ncftp/prefs ConfFiles
/root/.ncftp/firewall ConfFiles
/root/.ncftp/prefs_v3 ConfFiles
/root/.ncftp Databases
/root/.razor/razor-agent.conf ConfFiles
/root/.razor/ Databases
/root/.spamassassin Databases
/root/.viminfo Databases
/root/ ConfFiles
/etc$ StaticDir
/etc/ntp.drift Databases
/etc/ ConfFiles
/dev$ StaticDir
/dev/ Databases
=/dev/pts$ StaticDir
!/dev/pts/
/var/run$ StaticDir
/var/run/ Databases
=/etc/tripwire$ R-tiger-rmd160-sha1
/etc/tripwire/pinot-local.key R
/etc/tripwire/site.key R
/etc/tripwire/tw.cfgR
/etc/tripwire/twcfg.txt R
/etc/tripwire/twpol.txt E+p+n+u+g
/etc/tripwire/tw.polE+p+n+u+g
/etc/tripwire/tw.pol.bakE+p+n+u+g
This is the twpol.txt:
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = Critical system boot files,
severity = $(SIG_HI),
emailto = tripwire-reports
)
{
/boot - $(SEC_CRIT) ;
/lib/modules- $(SEC_CRIT) ;
}
#
# Critical executables
#
(
rulename = Root file-system executables,
severity = $(SIG_HI),
emailto = tripwire-reports
)
{
/bin- $(SEC_BIN) ;
/sbin - $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = Root file-system libraries,
severity = $(SIG_HI),
emailto = tripwire-reports
)
{
/lib- $(SEC_BIN) ;
}
#
# These files change every time the system boots
#
(
rulename = System boot changes,
severity = $(SIG_HI),
emailto = tripwire-reports
)
{
/var/lock - $(SEC_CONFIG) ;
# /var/run- $(SEC_CONFIG) ; # daemon PIDs
# /var/log- $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = Devices Kernel information,
severity = $(SIG_HI),
emailto = tripwire-reports
)
{
/dev- $(Device) ;
!/dev/pts ;
# /proc - $(Device) ;
/proc/bus - $(Device) ;
/proc/cmdline - $(Device) ;
/proc/cpuinfo - $(Device) ;
/proc/devices - $(Device) ;
/proc/dma - $(Device) ;
/proc/driver- $(Device) ;
/proc/execdomains - $(Device) ;
/proc/fb- $(Device) ;
/proc/filesystems - $(Device) ;
/proc/fs- $(Device) ;
/proc/ide - $(Device) ;
/proc/interrupts- $(Device) ;
/proc/iomem - $(Device) ;
/proc/ioports - $(Device) ;
/proc/irq - $(Device) ;
/proc/kcore - $(Device) ;
/proc/kmsg - $(Device) ;
/proc/ksyms - $(Device) ;
/proc/loadavg - $(Device) ;
/proc/locks - $(Device) ;
/proc/mdstat- $(Device) ;
/proc/meminfo - $(Device) ;
/proc/misc - $(Device) ;
/proc/modules - $(Device) ;
/proc/mounts- $(Device) ;
/proc/mtrr - $(Device) ;
/proc/net - $(Device) ;
/proc/partitions- $(Device) ;
/proc/pci - $(Device) ;
/proc/self - $(Device) ;
/proc/slabinfo - $(Device) ;
/proc/stat - $(Device) ;
/proc/swaps - $(Device) ;
/proc/sys - $(Device) ;
/proc/sysvipc - $(Device) ;
/proc/tty - $(Device) ;
/proc/uptime- $(Device) ;
/proc/version - $(Device) ;
}
#
# Binaries
#
(
rulename = Other binaries,
severity = $(SIG_MED),
emailto = tripwire-reports
)
{
/usr/local/sbin - $(SEC_BIN) ;
/usr/local/bin - $(SEC_BIN) ;
/usr/sbin - $(SEC_BIN) ;
/usr/bin- $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = Other libraries,
severity = $(SIG_MED),
emailto = tripwire-reports
)
{
/usr/local/lib - $(SEC_BIN) ;
/usr/lib- $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = Invariant Directories,
severity = $(SIG_MED),
emailto = tripwire-reports
)
{
Re: aide, apt-get and remote management...
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: aide, apt-get and remote management...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Any advice would be greatly appreciated. - - - Cheers, Peter - - -- Dipl.-Ing. Peter Burgstaller Technical Director @ all information network services gmbh email: [EMAIL PROTECTED] phone: +43 662 452335 fax : +43 662 452335 90 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2 vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe =6MVw - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7 =u0sL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 11 Dec 2003, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Modify AIDE's config to suit your needs. Here's what works for me: # check user, group and permissions /var/log u+g+p # expect files to grow /var/log/.* # permissions, user, group, number of links, and growing size for # syslog logs /var/log/syslog/.* p+u+g+n+S # don't check any of the following log directories =/var/log/(sysstat|setuid|apache|exim|ksymoops) R And I don't use Debian package, I've compiled AIDE myself. The config files I'm using probably have very little in common with what Debian supplies. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Wed, 2003-12-10 at 23:26, Peter Solodov wrote: That's the file integrity part. As for upgrades and updates, I never install anything automatically, but I have a cron job which checks if updates are available. And if there are, I would log on to a machine and install new packages myself. I have been meaning to automate the upload/checking process. Thanks for the motivation. I don't do the upgrades automatically either. When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. -- Douglas F. Calvert [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 06:44, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? You need to edit the file yourself. The package prompts you to do so at installation. I am a little confused about motivation for inclusion of log files in the database though... -- Douglas F. Calvert [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 13:24, Peter Solodov wrote: On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. -- --dfc Douglas F. Calvert http://anize.org/dfc/ GPG Key: 0xC9541FB2 signature.asc Description: This is a digitally signed message part
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Any advice would be greatly appreciated. - - - Cheers, Peter - - -- Dipl.-Ing. Peter Burgstaller Technical Director @ all information network services gmbh email: [EMAIL PROTECTED] phone: +43 662 452335 fax : +43 662 452335 90 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2 vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe =6MVw - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7 =u0sL -END PGP SIGNATURE-
Re: aide, apt-get and remote management...
On 11 Dec 2003, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Modify AIDE's config to suit your needs. Here's what works for me: # check user, group and permissions /var/log u+g+p # expect files to grow /var/log/.* # permissions, user, group, number of links, and growing size for # syslog logs /var/log/syslog/.* p+u+g+n+S # don't check any of the following log directories =/var/log/(sysstat|setuid|apache|exim|ksymoops) R And I don't use Debian package, I've compiled AIDE myself. The config files I'm using probably have very little in common with what Debian supplies. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu
Re: aide, apt-get and remote management...
On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 06:44, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? You need to edit the file yourself. The package prompts you to do so at installation. I am a little confused about motivation for inclusion of log files in the database though... -- Douglas F. Calvert [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf
aide, apt-get and remote management...
Hello, With all the recent discussions about debsigs and file integrity I have been trying to figure out the best way to deal with apt-get uprgades on remote machines with aide running. Does anyone have a good system for the management of the aide database and system upgrades? Or just any good aide tips would be nice as well. Thanks... -- Douglas F. Calvert [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 10 Dec 2003, Douglas F. Calvert wrote: With all the recent discussions about debsigs and file integrity I have been trying to figure out the best way to deal with apt-get uprgades on remote machines with aide running. Does anyone have a good system for the management of the aide database and system upgrades? Or just any good aide tips would be nice as well. Here's how I do that. I have a tightly secured well-protected machine. It holds file integrity databases. Every night it runs AIDE on a bunch of remote machines (AIDE binary is uploaded, then signatures are collected and output is shipped back to the secure machine). AIDE reports are generated on the machine that initiated the check. Nothing on a remote machine indicates signatures are collected. That's the file integrity part. As for upgrades and updates, I never install anything automatically, but I have a cron job which checks if updates are available. And if there are, I would log on to a machine and install new packages myself. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
aide, apt-get and remote management...
Hello, With all the recent discussions about debsigs and file integrity I have been trying to figure out the best way to deal with apt-get uprgades on remote machines with aide running. Does anyone have a good system for the management of the aide database and system upgrades? Or just any good aide tips would be nice as well. Thanks... -- Douglas F. Calvert [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 10 Dec 2003, Douglas F. Calvert wrote: With all the recent discussions about debsigs and file integrity I have been trying to figure out the best way to deal with apt-get uprgades on remote machines with aide running. Does anyone have a good system for the management of the aide database and system upgrades? Or just any good aide tips would be nice as well. Here's how I do that. I have a tightly secured well-protected machine. It holds file integrity databases. Every night it runs AIDE on a bunch of remote machines (AIDE binary is uploaded, then signatures are collected and output is shipped back to the secure machine). AIDE reports are generated on the machine that initiated the check. Nothing on a remote machine indicates signatures are collected. That's the file integrity part. As for upgrades and updates, I never install anything automatically, but I have a cron job which checks if updates are available. And if there are, I would log on to a machine and install new packages myself. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada
