Re: aide, apt-get and remote management...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Any advice would be greatly appreciated. - - - Cheers, Peter - - -- Dipl.-Ing. Peter Burgstaller Technical Director @ all information network services gmbh email: [EMAIL PROTECTED] phone: +43 662 452335 fax : +43 662 452335 90 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2 vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe =6MVw - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7 =u0sL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 11 Dec 2003, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Modify AIDE's config to suit your needs. Here's what works for me: # check user, group and permissions /var/log u+g+p # expect files to grow /var/log/.* # permissions, user, group, number of links, and growing size for # syslog logs /var/log/syslog/.* p+u+g+n+S # don't check any of the following log directories =/var/log/(sysstat|setuid|apache|exim|ksymoops) R And I don't use Debian package, I've compiled AIDE myself. The config files I'm using probably have very little in common with what Debian supplies. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Does ucd-snmp have security issue that net-snmp before 5.0.9 has ?
Hi list, A few days ago, I recieved Redhat Errata Alert about Net-SNMP package. Vulnerability References: http://sourceforge.net/forum/forum.php?forum_id=308015 # that security fix was announced 3 months ago, I don't know about why Redhat release fixed-package so late ;) Debian's Net-SNMP package is not affected for it (except testing - net-snmp 5.0.7-1.1 is there. it would be vulnerable), but there is no information about ucd-snmp package. Net-SNMP was known as ucd-snmp, and Woody has ucd-snmp package. Just I'm worried about if there is vulnerability or not. Does anyone know about this? -- Regards, Hideki Yamanemailto:henrich @ samba.gr.jp/iijmio-mail.jp I thought what I'd do was, I'd pretend I was one of those deaf-mutes. from Ghost in the shell - Stand Alone Complex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Wed, 2003-12-10 at 23:26, Peter Solodov wrote: That's the file integrity part. As for upgrades and updates, I never install anything automatically, but I have a cron job which checks if updates are available. And if there are, I would log on to a machine and install new packages myself. I have been meaning to automate the upload/checking process. Thanks for the motivation. I don't do the upgrades automatically either. When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. -- Douglas F. Calvert [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 06:44, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? You need to edit the file yourself. The package prompts you to do so at installation. I am a little confused about motivation for inclusion of log files in the database though... -- Douglas F. Calvert [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 13:24, Peter Solodov wrote: On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. -- --dfc Douglas F. Calvert http://anize.org/dfc/ GPG Key: 0xC9541FB2 signature.asc Description: This is a digitally signed message part
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Any advice would be greatly appreciated. - - - Cheers, Peter - - -- Dipl.-Ing. Peter Burgstaller Technical Director @ all information network services gmbh email: [EMAIL PROTECTED] phone: +43 662 452335 fax : +43 662 452335 90 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2 vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe =6MVw - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7 =u0sL -END PGP SIGNATURE-
Re: aide, apt-get and remote management...
On 11 Dec 2003, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Modify AIDE's config to suit your needs. Here's what works for me: # check user, group and permissions /var/log u+g+p # expect files to grow /var/log/.* # permissions, user, group, number of links, and growing size for # syslog logs /var/log/syslog/.* p+u+g+n+S # don't check any of the following log directories =/var/log/(sysstat|setuid|apache|exim|ksymoops) R And I don't use Debian package, I've compiled AIDE myself. The config files I'm using probably have very little in common with what Debian supplies. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada
Does ucd-snmp have security issue that net-snmp before 5.0.9 has ?
Hi list, A few days ago, I recieved Redhat Errata Alert about Net-SNMP package. Vulnerability References: http://sourceforge.net/forum/forum.php?forum_id=308015 # that security fix was announced 3 months ago, I don't know about why Redhat release fixed-package so late ;) Debian's Net-SNMP package is not affected for it (except testing - net-snmp 5.0.7-1.1 is there. it would be vulnerable), but there is no information about ucd-snmp package. Net-SNMP was known as ucd-snmp, and Woody has ucd-snmp package. Just I'm worried about if there is vulnerability or not. Does anyone know about this? -- Regards, Hideki Yamanemailto:henrich @ samba.gr.jp/iijmio-mail.jp I thought what I'd do was, I'd pretend I was one of those deaf-mutes. from Ghost in the shell - Stand Alone Complex
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu
Re: aide, apt-get and remote management...
On 11 Dec 2003, Douglas F. Calvert wrote: When I do the files are obviously different in the aide database and I wondering if anyone has come up with a way to deal with these differences. Do you mean that new signatures don't match the ones in database? In this case you review changes and if you're satisfied they are expected, just replace old database with new one. You need to keep database up to date. My AIDE reports are usually pretty short unless something big happens, like new packages, or reboot. - Peter -- Peter Solodov| Concordia University http://alcor.concordia.ca/~peter | Montreal, QC, Canada
Re: aide, apt-get and remote management...
On Thu, 2003-12-11 at 06:44, DI Peter Burgstaller wrote: Hi there, I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? You need to edit the file yourself. The package prompts you to do so at installation. I am a little confused about motivation for inclusion of log files in the database though... -- Douglas F. Calvert [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf
