LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-26-2010, 12:23 PM   #1
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Rep: Reputation: 1
AIDE and RPM Verify


Hello

I have just run AIDE and it has come up with 120 Changes..

Here are a couple of examples.

Code:

File: /etc/group
  Size     : 577                              , 603
  Mtime    : 2010-08-16 10:21:01              , 2010-08-25 20:03:29
  Ctime    : 2010-08-16 10:21:01              , 2010-08-25 20:03:29
  Inode    : 2557249                          , 2557251
  MD5      : BdLDaZfcBrgocnf3yv50+Q==         , iohMnx7nF7bXsdGCREguww==
  RMD160   : gu0uoiPxVpLQiYTPAYddGDZCi6E=     , NEG8nSJjnsXBGasT1XteFFOtYoY=
  SHA256   : jF/g6ho4sQpZ99zf034bqg3LuJR9WJga , +xuE39+Tuhq4M8NA9SdJQ+ddIfE3uLHl

File: /etc/shadow
  Size     : 837                              , 925
  Mtime    : 2010-08-16 10:18:56              , 2010-08-25 20:03:48
  Ctime    : 2010-08-16 10:18:59              , 2010-08-25 20:03:48
  Inode    : 2557250                          , 2557249
  MD5      : /SpoHZDOSXI8frmcSQvXiw==         , lzUpBU5mS96h9Z4BYjQqtA==
  RMD160   : owRBIqPVCi93qzojv6lO77c8Rn4=     , C1EY+xcnrn/zOCQiItiPa/aNx4g=
  SHA256   : hAHAOAfj5B4AZkI0C3GmWCg4xL1d9E31 , KJaWiKaZ0giUYaeNGiu5CozSgwJt/60u
This is a new install and has not yet been connected to the network. All the build software has been installed from the DVD.

I did run an
Code:
rpm -qVa
and got a bunch of errors for MD5 BUT not listing 'S' as the error but '?'

Reading around I have found this maybe a bug and suggested running
Code:
prelink --all
now this did fix all the MD5 errors I got from RPM verify....

But since I have run AIDE again and came with all these file changes...

Question is would the running of prelink cause this and all I really need to do is update my AIDE database ???

Last edited by FizzerJE; 08-26-2010 at 12:25 PM.
 
Old 08-26-2010, 01:50 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
prelink(8) operates on binaries and libraries. AFAIK, it should never, ever be performing work on /etc/group or /etc/shadow. (There is no reason for it to be.)

Have you added / removed a group, or modified group membership recently? Is it possible some user (i.e. you) has changed his password recently? Those scenarios would account for the HIDS report you're seeing.
 
Old 08-26-2010, 02:09 PM   #3
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Original Poster
Rep: Reputation: 1
Mmm.. My bad.. Not the best examples (Actually looking at them probably the worst) those are the first entries.
Should have thought more about what I was posting.

Changed Files List (Yes users etc added , should have updated AIDE then) Again my bad: Never used AIDE.

Code:
changed: /etc/group
changed: /etc/crontab
changed: /etc/shadow
changed: /etc/passwd
changed: /etc/prelink.cache
changed: /etc/fstab
changed: /etc/blkid/blkid.tab.old
changed: /etc/blkid/blkid.tab
changed: /etc/shadow-
changed: /etc/gshadow-
changed: /etc/gshadow
changed: /etc/aliases.db
changed: /etc/passwd-
changed: /etc/group-
changed: /var/log/cron
changed: /var/log/prelink/prelink.log
changed: /var/log/faillog
changed: /var/log/dmesg
changed: /var/log/cups/error_log
changed: /var/log/messages
changed: /var/log/secure
changed: /var/log/spooler
changed: /var/log/boot.log
changed: /var/log/rpmpkgs
changed: /var/log/maillog
changed: /var/log/lastlog
changed: /usr
changed: /usr/sbin
changed: /usr/sbin/lpasswd
changed: /usr/sbin/lchage
changed: /usr/sbin/userhelper
changed: /usr/sbin/userdel
changed: /usr/sbin/groupmod
changed: /usr/sbin/usermod
changed: /usr/sbin/lgroupmod
changed: /usr/sbin/lnewusers
changed: /usr/sbin/groupdel
changed: /usr/sbin/cc_test
changed: /usr/sbin/luserdel
changed: /usr/sbin/lgroupdel
changed: /usr/sbin/useradd
changed: /usr/sbin/cc_dump
changed: /usr/sbin/groupadd
changed: /usr/sbin/lusermod
changed: /usr/sbin/luseradd
changed: /usr/sbin/saslauthd
changed: /usr/sbin/aide
changed: /usr/sbin/lgroupadd
changed: /usr/lib
changed: /usr/lib/nss/unsupported-tools
changed: /usr/lib/gettext
changed: /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE
changed: /usr/lib/rpm
changed: /usr/lib/oddjob
changed: /usr/lib/syslinux
changed: /usr/lib/pm-utils/bin
changed: /usr/libexec
changed: /usr/libexec/awk
changed: /usr/libexec/getconf
changed: /usr/libexec/utempter
changed: /usr/bin
changed: /usr/bin/vdir
changed: /usr/bin/pkcs11_setup
changed: /usr/bin/setfattr
changed: /usr/bin/vim
changed: /usr/bin/rsync
changed: /usr/bin/pklogin_finder
changed: /usr/bin/crontab
changed: /usr/bin/lchfn
changed: /usr/bin/chage
changed: /usr/bin/amtu
changed: /usr/bin/dir
changed: /usr/bin/passwd
changed: /usr/bin/chacl
changed: /usr/bin/pkcs11_inspect
changed: /usr/bin/gpasswd
changed: /usr/bin/newgrp
changed: /usr/bin/afs5log
changed: /usr/bin/chsh
changed: /usr/bin/getfattr
changed: /usr/bin/lchsh
changed: /usr/bin/aulastlog
changed: /usr/bin/ausyscall
changed: /usr/bin/getfacl
changed: /usr/bin/pkcs11_eventmgr
changed: /usr/bin/install
changed: /usr/bin/chfn
changed: /usr/bin/attr
changed: /usr/bin/setfacl
changed: /usr/bin/consolehelper
changed: /root
changed: /root/.bashrc
changed: /root/.cshrc
changed: /boot.bak
changed: /lib
changed: /lib/libaudit.so.0.0.0
changed: /lib/dbus-1
changed: /lib/security
changed: /lib/security/pam_ccreds.so
changed: /lib/security/pam_krb5
changed: /lib/libacl.so.1.1.0
changed: /lib/libpam.so.0.81.5
changed: /lib/libattr.so.1.1.0
changed: /lib/udev
changed: /lib/libpam_misc.so.0.81.2
changed: /lib/libauparse.so.0.0.0
changed: /bin
changed: /bin/ls
changed: /bin/vi
changed: /bin/cp
changed: /bin/mv
changed: /bin/tar
changed: /bin/ping6
changed: /bin/login
changed: /sbin
changed: /sbin/pam_console_apply
changed: /sbin/runuser
changed: /sbin/pam_tally2
changed: /sbin/pam_tally
changed: /sbin/hwclock
Have added users... Modified cron.. Added aliases to .bashrc .cshrc and modified fstab. So I guess we are left with Binaries / libaries...

Just passed my Linux+ so you will have to bear with me, bit of a noob.

Apologies for the last example...

Last edited by FizzerJE; 08-26-2010 at 02:15 PM.
 
Old 08-26-2010, 02:29 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by FizzerJE
This is a new install and has not yet been connected to the network. All the build software has been installed from the DVD.
Given that info, here's where you take a (rather modest) leap of faith, and assume the system is in a "known good" state. From here going forward, you need to have procedures in place to account for any changes your HIDS detects.

To substantially improve the noise-to-signal ratio, I suggest the following:
  1. Prior to planned system changes (user, software, etc.) check your system against the HIDS DB. Account for any detected differences.
  2. Make the system change.
  3. Update the HIDS DB immediately after.
 
Old 08-27-2010, 12:34 PM   #5
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by anomie View Post
I suggest the following:
  1. Prior to planned system changes (user, software, etc.) check your system against the HIDS DB. Account for any detected differences.
  2. Make the system change.
  3. Update the HIDS DB immediately after.
Thanks...

Given my new experieance and my lack of knowledge this will help.

Unsure if I have a healthy paranoia... But the /home directory is in-tact from an old install. Thus preserving data.

I think I will do fresh install, and go with the updating schema you reccomend.
This time NOT including the old /home partion in the install until I have things up and running and can throughly check out what may be on there.

Sorry no leap of faith for me. But your advice is definatly taken on borad.

Off to read the best way of scanning a potentially infected /home diretory

Thanks
 
Old 08-28-2010, 04:07 PM   #6
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Original Poster
Rep: Reputation: 1
AIDE ALOT of file size changes...

I do not understand this...

I decided to do a new build and do things correct from the start.

A brand new build NO RE-BOOT, NO NETWORK.

The original /home partion still exsits but is not included in install options OR mounted.

On first boot I run the firstboot script.
SELINUX enforcing, remove SSH from trusts

Remove a few services from the default install (I untick the gnome install):
  • bluetooth
  • cups
  • firstboot
  • ip6tables
  • irqbalance
  • isdn
  • kudzu
  • readahead_early

Built a AIDE Database
Code:
/usr/sbin/aide --init
copied the new database over
Code:
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Also onto a USBStick

Run an AIDE check and all seems fine

Reboot run AIDE again it get these changes...
Code:
Changed files: 1117

changed: /etc/shadow
changed: /etc/aliases.db
changed: /etc/blkid/blkid.tab.old
changed: /etc/blkid/blkid.tab
changed: /etc/gshadow
changed: /etc/group
changed: /etc/passwd
changed: /var/log/lastlog
changed: /usr/sbin
changed: /usr/sbin/filefrag
changed: /usr/sbin/zdump
changed: /usr/sbin/ipppd
changed: /usr/sbin/yptest
changed: /usr/sbin/dmidecode
changed: /usr/sbin/pppoe-discovery
changed: /usr/sbin/rdev

----   TEXT CUT  ----

changed: /usr/libexec
changed: /usr/libexec/getconf
changed: /usr/libexec/getconf/POSIX_V6_ILP32_OFF32
changed: /usr/libexec/getconf/POSIX_V6_ILP32_OFFBIG
changed: /usr/libexec/hald-addon-acpi
changed: /usr/libexec/hal-storage-eject
changed: /usr/libexec/hal-storage-unmount
changed: /usr/libexec/gconf-sanity-check-2
changed: /usr/libexec/nm-dhcp-client.action
changed: /usr/libexec/hald-probe-storage
changed: /usr/libexec/gam_server
changed: /usr/libexec/hald-probe-volume
changed: /usr/libexec/nm-avahi-autoipd.action
changed: /usr/libexec/hald-probe-input
changed: /usr/libexec/hal-storage-cleanup-mountpoint
changed: /usr/libexec/nm-dispatcher.action
changed: /usr/libexec/hald-probe-printer
changed: /usr/libexec/hald-addon-macbookpro-backlight
changed: /usr/libexec/hald-addon-acpi-buttons-toshiba

----   TEXT CUT  ----

changed: /usr/bin
changed: /usr/bin/sha384hmac
changed: /usr/bin/getconf
changed: /usr/bin/grolj4
changed: /usr/bin/ecryptfs-manager
changed: /usr/bin/pkcs11_inspect
changed: /usr/bin/pathchk
changed: /usr/bin/msginit
changed: /usr/bin/tailf
changed: /usr/bin/lchsh
changed: /usr/bin/setfattr
changed: /usr/bin/hal-find-by-capability
changed: /usr/bin/wrjpgcom
changed: /usr/bin/yes
changed: /usr/bin/apmsleep
changed: /usr/bin/diff

----   TEXT CUT  ----

changed: /usr/bin/envsubst
changed: /usr/bin/sqlite3
changed: /usr/bin/getent
changed: /usr/bin/mkudffs
changed: /usr/bin/rx
changed: /usr/bin/hal-get-property
changed: /usr/bin/wvdial
changed: /usr/bin/uptime
changed: /usr/bin/fgconsole
changed: /usr/bin/lockfile

----   TEXT CUT  ----

changed: /usr/lib/liblber-2.3.so.0.2.31
changed: /usr/lib/libldap-2.3.so.0.2.31
changed: /usr/lib/libparted-1.8.so.0.0.1
changed: /usr/lib/libXcursor.so.1.0.2
changed: /usr/lib/liblftp-jobs.so.0.0.0
changed: /usr/lib/libatk-1.0.so.0.1212.0
changed: /usr/lib/libwvutils.so.4.2
changed: /usr/lib/librpmdb-4.4.so
changed: /bin
changed: /bin/mktemp
changed: /bin/dbus-cleanup-sockets
changed: /bin/vi
changed: /bin/doexec
changed: /bin/df
changed: /bin/gawk
changed: /bin/hostname
changed: /bin/env
changed: /bin/cat
changed: /bin/sed
changed: /bin/loadkeys

----   TEXT CUT  ----

changed: /bin/pwd
changed: /bin/sleep
changed: /bin/false
changed: /bin/mv
changed: /bin/mountpoint
changed: /bin/gzip
changed: /sbin
changed: /sbin/pcmcia-socket-startup
changed: /sbin/ifrename
changed: /sbin/ip
changed: /sbin/dosfslabel
changed: /sbin/modinfo
changed: /sbin/ip6tables

----   TEXT CUT  ----

changed: /sbin/iwevent
changed: /sbin/iwspy
changed: /sbin/pccardctl
changed: /sbin/mkswap
changed: /sbin/capiinit
changed: /sbin/request-key
changed: /sbin/mount.ecryptfs
changed: /sbin/dmraid
changed: /lib
changed: /lib/libm-2.5.so
changed: /lib/libgobject-2.0.so.0.1200.3
changed: /lib/libsepol.so.1
changed: /lib/libuuid.so.1.2
changed: /lib/libext2fs.so.2.4
changed: /lib/libss.so.2.0

----   TEXT CUT  ----

changed: /lib/libauparse.so.0.0.0
changed: /lib/libblkid.so.1.0
changed: /lib/libgthread-2.0.so.0.1200.3
changed: /lib/libgmodule-2.0.so.0.1200.3
changed: /lib/libdmraid.so.1.0.0.rc13-17
They are all changed in file size...

Unsure if I am having a healthy paranoia.. But should I be rebooting and running and AIDE -init ???
Is it normal for this to happen...

Am I doing something wrong here?



ALSO. Anyone got a link to best way to scan a partion for nasties without connecting to a network BUT having an upto date database for virus / malware / rootkit sigs.
 
Old 08-30-2010, 03:38 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
For starters, your aide.conf should contain something like:

Code:
LOG = p+u+g+acl+xattrs+ANF
...
/var/log   LOG
!/var/log/sa
!/var/log/aide.log
The last two lines are negation examples taken from my own aide.conf. It sounds like your configuration may be too sensitive if it's picking up lastlog.

A couple others things:
  • RHEL/CentOS rebuilds /etc/aliases.db at boot time (so you're going to need to not monitor aliases.db or get used to the idea of seeing it in reports after a reboot)
  • Ditto for /etc/blkid/blkid.tab and /etc/blkid/blkid.tab.old. Both may be modified at boot time.

As for binary sizes changing after a reboot..? And /etc/passwd, /etc/shadow, and /etc/group..? That's not right. Are you sure you didn't install some packages between the time you created the AIDE DB and the time you checked against it?
 
Old 09-20-2010, 05:04 AM   #8
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by anomie View Post
  • RHEL/CentOS rebuilds /etc/aliases.db at boot time (so you're going to need to not monitor aliases.db or get used to the idea of seeing it in reports after a reboot)
  • Ditto for /etc/blkid/blkid.tab and /etc/blkid/blkid.tab.old. Both may be modified at boot time.

Thanks...

Strangly I have gone back to working on this pre-production server for home use, been busy studying for exams.

Just doing a Google search on aliases.db which has changed since reboot and found my post.

Yes my config is too sensitive but as you say all those file changes are a bit off....

Past few days I have looked into this and I think I have sorted it. But need to test more.

Down to a combination of 'prelink' and SELinux I think.

Currently I have turned prelink off, and making sure my linux box is SELinux 'Enforcing' for now.

I will update if this works.

Thanks for the help, but it is still ongoing.
 
Old 09-21-2010, 04:09 PM   #9
FizzerJE
LQ Newbie
 
Registered: Dec 2004
Posts: 12

Original Poster
Rep: Reputation: 1
[Solved] AIDE and RPM Verify

All looks to work as expected now that prelink is disabled...

Anyone coming across this.

Code:
Disable Prelink
    /etc/sysconfig/prelink
        PRELINKING=no
Maybe run

Code:
prelink -ua
But this did not revert the state of files back for me.

Thanks for help and tips.
 
Old 09-21-2010, 05:22 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by FizzerJE View Post
Code:
prelink -ua
But this did not revert the state of files back for me.
The prelink cronjob has a 'if [ "$PRELINKING" != yes ]; then' section which executes '/usr/sbin/prelink -uav >> /var/log/prelink/prelink.log 2>&1' and you didn't post back any details wrt the "did not revert" part so there's nothing that can be said about that. (Since Aide and prelinking seems a recurring topic and anomie plays a part there as well I'm also linking in this and that thread as people still seem to have problems searching LQ...)
 
  


Reply

Tags
aide, rpm, verify


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Meaning of Symlink test with rpm --verify blackhole54 Linux - General 2 01-03-2009 11:41 PM
Can someone post a sample aide.conf file here? For AIDE IDS abefroman Linux - Security 9 04-12-2008 08:18 AM
rpm --verify -a question linuxtesting2 Red Hat 1 05-15-2004 12:39 AM
rpm --verify net-tools gives pre link errors abefroman Fedora - Installation 0 04-11-2004 10:42 AM
rpm --verify -a > rpmcheck.txt Question klickibunti Linux - Security 3 08-26-2002 12:39 PM


All times are GMT -5. The time now is 02:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration