I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection. I have an aide0.12 binary for Slackware and it installed ok. It needs an aide.conf file...could someone post a sample for somebody fairly new to the server world? I installed Slackware 11 without an X session.
I got aide using yum on my Fedora Core box and it came with a sample aide.conf file: # Example configuration file for AIDE. @@define DBDIR /var/lib/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:/var/log/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH # These are the default rules. # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #md5: md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum #gost: gost checksum #crc32: crc32 checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #>: Growing logfile p+u+g+i+n+S # You can create custom rules like this. NORMAL = R+b+sha1 DIR = p+i+n+u+g # Next decide what directories/files you want in the database. /boot NORMAL /bin NORMAL /sbin NORMAL /lib NORMAL /opt NORMAL /usr NORMAL /root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc p+i+u+g !/etc/mtab /etc/exports NORMAL /etc/fstab NORMAL /etc/passwd NORMAL /etc/group NORMAL /etc/gshadow NORMAL /etc/shadow NORMAL /var/log p+n+u+g # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # #=/lost\+found DIR #=/home DIR I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule. |
I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection.
Ten bonus points for doing the right thing... I got aide using yum on my Fedora Core box and it came with a sample aide.conf file (..) I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule. As you can see the NORMAL rule WILL cause a lot of static when used on the contents of /etc because you'll be (re)configuring stuff and normal ops will change some stuff. So basically you want to do a "minimal" check as was offered in the default config: Code:
ETC = p+i+u+g+sha1 Code:
/etc ETC Code:
=/mnt$ DIR Once the reconfig/update dust is settled and your server is production-ready run a check, add custom rules to your servers aide.conf and initialise the database. Finally make certain you stash a copy of the binary, all configs and databases off-site. |
Thanks-that helps! I was thinking I need to refine my aide.conf and cut back on /etc like you mentioned since my old 200 MHz pc takes 45 minutes to an hour to do the aide --check.
|
hi all,
linuxhippy where do you put the aide.conf file for your slack 11? There is a sample config file in the readme.html, but they don't say where it goes. edit: don't bother, I'm gonna md5 the drive and use a spreadsheet, AIDE is out of control, bye for now. |
AIDE is out of control
Aide is well-tested, supported and actively maintained (new release was out a week ago). It is configurable and fast. It can check a lot of details which, especially on distributions with a rudimentary out of the box package management system like Slackware, can only be a good thing. Can't even compare your md5sum+spreadsheet "solution" with that. |
removed not to confuse others. will have to revisit this.
|
ah, I realized I should've had = signs there and changed norm to normal.
wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL. edit: came back and fixed my spelling. something is wierd with new firefox 2.0 for me, text get's garbled up. |
ah, I realized I should've had = signs there and changed norm to normal.
I didn't see you edit your previous post to reflect local changes? wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL. Apart from QEMU lag this can even be faster if you're more precise on what to check. # Here are some recommended declaration's from unspawn/LQ # He write's “As you can see the NORMAL rule WILL cause a # lot of static when used on the contents of /etc because # you'll be (re)configuring stuff and normal ops will change # some stuff. So basically you want to do a "minimal" check # as was offered in the default config” Depends on how volatile the contents are and how exposed the box is (multiple admins, public accessable box). If it's just a few files, then strict checking should be done because it's easy to give only that few exceptions the lesser strict treatment. If you opt for overall "weak" checking of /etc, then I suggest you at least give these (and any other access and auth related files) the full check attribs: /etc/passwd /etc/group /etc/gshadow /etc/shadow /etc/sudoers # I suppose this is the master rule to apply to any/and or all # files and folder's unless explicitly defined otherwise herein? #Selection regexp rule @@{TOPDIR}/.* Norm May be personal, but I never used these. If you do it relies on declaration of Code:
@@ifndef TOPDIR !@@{TOPDIR}/.*~ I definately would want to know about edit leftovers in the root, and !@@{TOPDIR}/src/.*\.o I don't have any /src dir, let alone /src/*.o files. /home$ DIR Isn't the notation "=/home$"? /sys You don't scan /proc, but you do scan /sys. Any particular reason why? /var/log p+n+u+g Recursive scan of /var/log, but no files are scanned with the "S" attribute. Doesn't this give a load of alerts? |
Quote:
|
Hello Gent's,
Thank you for the replies. @unspawn: Quote:
We spoke about this here: http://www.linuxquestions.org/questi...p?t=491396#top I had said: It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL. to which you had said :Its a waste of time to hash /proc and /dev contents. So I was kind of interpreting that to mean that even with AIDE I might have the same issue, so I was leaving it out. as well, I really don't know what I'm doing ...but I'm trying :D Ok I will add them in and make the other corrections you shown there, and then make a new database and rescan and see then post my configuration. I'm really shooting to just make this for a typical home user baseline setup and I actually would like to submit it to LQ for newcomer's like myself . Thank you alot unspawn I really really appreciate your help here. @linuxhippy: I actually had to dig out a camera flash card I didnt realize that an un gzipped db was going to be 28 meg for a "full-noob install" of slackware. IIlater gzipped it using cli interfacae and it dropped down to about 8 meg. I wonder if AIDE supports bzip that might be even samaller. think your idea of the cd to have the binary, the manuals, source install tarballs is a good idea. I think I'm going to build this as 'static' and burn that way. ps..gosh this firefox 2.0 with typping textt s brutal :( I gotta a put back in my old version. it most certainly is not 'wysiwig' |
I really don't know what I'm doing ...but I'm trying
Oh well, you're doing great. I wonder if AIDE supports bzip that might be even samaller. Just add a request on Aide's SF tracker (http://sourceforge.net/tracker/?grou...76&atid=581582) or the SF Aide-devel mailinglist. The developers are exceptionally friendly and professional. |
OKAY! Here Is My Work In Progress :D
edited, a few months later not really liking what I have removed not to confuse others.
|
Hi all,
Just an update and question. The previous post I made seems to be pretty nice for my needs. In my /mnt on one computer I have two partitions, that are solely for data from users. What would be a good check on that? I thought it was pretty neat the above caught the fact that I plugged in my thumbdrive doo hickey too. Are there any recommendations for applications like rkhunter's database? Not sure how I would address that one either. thank you in advnace :D |
All times are GMT -5. The time now is 08:51 AM. |