Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
On Wed, Jan 17, 2007 at 04:50:48PM +0100, Marc Haber wrote:
I have found that the _apt_ rules are a horrible mess and will re-work
them completely in the next version. Don't submit any patches agains
the current versions as it is likely that the new rules will not
remotely resemble the current ones.
I have rewritten the apt rule as a script and implemented a small
/etc/apt/sources.list parser. This, as a convenience, eliminated the
need for separate stable and unstable rules, and also caters correctly
for the arch.
Here is a preliminary version:
#!/bin/bash
SOURCESLIST=/etc/apt/sources.list
LISTSDIR=/var/lib/apt/lists
ARCH=$(dpkg --print-architecture)
cat $SOURCESLIST | while read deb uri dist comp; do
PROTOCOL=$(echo $uri | sed 's|\([^:]\+\).*|\1|')
if [ $PROTOCOL = http ] || [ $PROTOCOL = ftp ]; then
HOST=$(echo $uri | sed 's|.*//\([^/[:space:]]\+\).*|\1|')
HOSTPATH=$(echo $uri | sed
's|.*//[^/[:space:]]\+/\?||;s|/|_|g;s|^\(.\+\)$|_\1|')
dist=${dist//\//_}
if [ -n $DEBUG ]; then
echo uri $uri
echo HOST $HOST
echo HOSTPATH $HOSTPATH
fi
if [ $deb = deb ]; then
for c in $comp; do
echo
$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_binary-${ARCH}_Packages(\.IndexDiff)?$
VarFile
echo $LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_Release(\.gpg)?$
VarFile
done
elif [ $deb = deb-src ]; then
:
fi
else
: # other protocols are not supported. If you feel like they should
: # please give a good reason and probably a patch.
fi
echo -e \n\n
done
echo ${LISTSDIR}(/partial)?$ VarDir
echo ${LISTSDIR}/lock$ VarFile
If you want to, give it a try.
Greetings
Marc
--
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
Op 18-jan-2007, om 9:02 heeft Marc Haber het volgende geschreven: I have rewritten the apt rule as a script and implemented a small /etc/apt/sources.list parser. Nice work! If you want to, give it a try. Your (bash|sed)-fu is greater than mine. Did found a small thing, though. My /var/lib/apt/lists files are (only listing relevant parts for the error I found): ftp.unnet.nl_debian_dists_etch_main_binary-amd64_Packages ftp.unnet.nl_debian_dists_etch_main_binary-amd64_Packages.IndexDiff ftp.unnet.nl_debian_dists_etch_Release ftp.unnet.nl_debian_dists_etch_Release.gpg And the generated lines are: /var/lib/apt/lists/ftp.unnet.nl_debian__dists_etch_main_binary- amd64_Packages(\.IndexDiff)?$ VarFile /var/lib/apt/lists/ftp.unnet.nl_debian__dists_etch_Release(\.gpg)?$ VarFile Note in particular the double underscore in front of dists. My sources.list: deb http://ftp.unnet.nl/debian/ etch main When enabling DEBUG, I found the problem: HOSTPATH _debian_ So I changed line 11 of your script to: HOSTPATH=$(echo $uri | sed 's|.*//[^/[:space:]]\+/\?||;s|/|_|g;s|^\(. \+\)$|_\1|' | sed 's|_$||') Which fixes the problem. Hope this helps. -- Met vriendelijke groet, Tim Stoop Cidev v.o.f. http://www.cidev.nl KvK nummer: 14072991 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
On Thu, Jan 18, 2007 at 09:45:43AM +0100, Tim Stoop wrote: When enabling DEBUG, I found the problem: HOSTPATH _debian_ So I changed line 11 of your script to: HOSTPATH=$(echo $uri | sed 's|.*//[^/[:space:]]\+/\?||;s|/|_|g;s|^\(. \+\)$|_\1|' | sed 's|_$||') Which fixes the problem. HOSTPATH=$(echo $uri | sed 's|.*//[^/[:space:]]\+/\?||;s|/$||;s|/|_|g;s|^\(.\+\)$|_\1|') is my new version. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote: Default syslog installation includes /var/log/mail.err and /var/log/mail.warn, both are rotated. So I added them to 31_aide_syslog. Done in svn, new line is now @@define LOGFILES (messages|syslog|(auth|daemon|user)\.log|mail\.(log|err|warn|info)) Since cron-apt downloads new indexes each night and I don't need a confirmation of that each day, I use: !/var/cache/apt/lists There are actually rules for this, see 31_aide_apt_stable and 31_aide_apt_unstable. But, alas, these rules have my local mirror hardcoded and are thus useless to external users. I'll fix this asap by introducing a macro. Also, my cron-apt config tells the program to download updated packages. Since it already mails me about that, I disable checking of that directory too, since it only duplicates a message cron-apt already sends me (and I'd like to keep warnings to an absolute minimum, to be sure I don't tire of them), I use: !/var/cache/apt/archives It would probably be better to at least check the settings of the directory (user, etc.) instead of completely ignoring it. I consider this a bad idea, since this would make /var/cache/apt/archives a good place for an attacker to hide local persistent files. That won't happen in the package. There is already a rule file 31_aide_apt_frqchg which should cater for frequently changing apt files. 31_aide_apt_unstable also excludes package files by means of !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$ Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
Hi Marc, Thanks for taking the time to look at my changes! On 17-jan-2007, at 15:46, Marc Haber wrote: On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote: Since cron-apt downloads new indexes each night and I don't need a confirmation of that each day, I use: !/var/cache/apt/lists There are actually rules for this, see 31_aide_apt_stable and 31_aide_apt_unstable. But, alas, these rules have my local mirror hardcoded and are thus useless to external users. I'll fix this asap by introducing a macro. Ah yes, much better. Would a line like: @@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org) in /etc/aide/aide.conf work? If so, I might be able to take some work off your hands and create a patch for this. (By copying 31_aide_syslog, mostly, and the already-in-place code.) !/var/cache/apt/archives I consider this a bad idea, since this would make /var/cache/apt/archives a good place for an attacker to hide local persistent files. That won't happen in the package. True, but if an attacker would be smart enough to check the default aide config to determine which directory would be safe to plant an executable in... There is already a rule file 31_aide_apt_frqchg which should cater for frequently changing apt files. 31_aide_apt_unstable also excludes package files by means of !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$ ... don't you think he'll be smart enough to name it something so this regex will fit? If someone figures out /var/cache/apt/archives is safe, he'll figure out blabla_all.deb is a safe filename. I think not catching these false alarms (at least when cron-apt is installed) does far more harm (ie. people will get tired of the false alarms and uninstall aide or something) than leaving the directory unsafe. Otoh, I'm no security guru so maybe I misinterpret something here :) The real solution here is probably to add this file to the cron-apt package instead of always on by default. Just my 2 cents, here. At least, please change the regex to: !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$ Or even safer, maybe have another macro in the config file that sets the arch used (is that automatable with debconf or something? wild guess here) and allow that and all? -- Met vriendelijke groet, Tim Stoop Cidev v.o.f. http://www.cidev.nl KvK nummer: 14072991 PGP.sig Description: This is a digitally signed message part
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
On Wed, Jan 17, 2007 at 04:32:35PM +0100, Tim Stoop wrote: On 17-jan-2007, at 15:46, Marc Haber wrote: On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote: Since cron-apt downloads new indexes each night and I don't need a confirmation of that each day, I use: !/var/cache/apt/lists There are actually rules for this, see 31_aide_apt_stable and 31_aide_apt_unstable. But, alas, these rules have my local mirror hardcoded and are thus useless to external users. I'll fix this asap by introducing a macro. Ah yes, much better. Would a line like: @@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org) in /etc/aide/aide.conf work? If so, I might be able to take some work off your hands and create a patch for this. (By copying 31_aide_syslog, mostly, and the already-in-place code.) I have found that the _apt_ rules are a horrible mess and will re-work them completely in the next version. Don't submit any patches agains the current versions as it is likely that the new rules will not remotely resemble the current ones. !/var/cache/apt/archives I consider this a bad idea, since this would make /var/cache/apt/archives a good place for an attacker to hide local persistent files. That won't happen in the package. True, but if an attacker would be smart enough to check the default aide config to determine which directory would be safe to plant an executable in... Yes, that's kind of a red herring, but I'd like to assume that an attacker might know which directories are likely to be busy on a Debian system but might miss the fact that aide is in use. There is already a rule file 31_aide_apt_frqchg which should cater for frequently changing apt files. 31_aide_apt_unstable also excludes package files by means of !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$ ... don't you think he'll be smart enough to name it something so this regex will fit? He might, but he might not. Excluding an entire directory is something I'd like to avoid here. Additionally, *.deb files in that directory might confuse apt so that the files placed there might be noticed by the admin. There needs to be some compromise. If someone figures out /var/cache/apt/archives is safe, he'll figure out blabla_all.deb is a safe filename. I think not catching these false alarms (at least when cron-apt is installed) does far more harm (ie. people will get tired of the false alarms and uninstall aide or something) than leaving the directory unsafe. The regexp that is already in the packages is supposed to mask the regular changes to the directory. I have cron-apt running on an hourly basis on unstable systems and the rule in the package keeps /var/cache/apt/archives out of the reports. The real solution here is probably to add this file to the cron-apt package instead of always on by default. Yes, other packages' maintainers are cordially invited to include aide rules in their packages. See NEWS.Debian for 0.11a-3. It is only that I do not have the time to ask them. At least, please change the regex to: !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$ Or even safer, maybe have another macro in the config file that sets the arch used (is that automatable with debconf or something? wild guess here) and allow that and all? That's what I intend to do. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs
clone 407280 -1 retitle -1 add an arch macro to cater for non-i386 archs thanks On Wed, Jan 17, 2007 at 04:32:35PM +0100, Tim Stoop wrote: At least, please change the regex to: !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$ Or even safer, maybe have another macro in the config file that sets the arch used (is that automatable with debconf or something? wild guess here) and allow that and all? Cloning to a new bug so that this change does not get lost. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
