AIDE and RPM Verify

FizzerJE · 08-26-2010, 12:23 PM

Hello

I have just run AIDE and it has come up with 120 Changes..

Here are a couple of examples.

Code:


File: /etc/group
  Size     : 577                              , 603
  Mtime    : 2010-08-16 10:21:01              , 2010-08-25 20:03:29
  Ctime    : 2010-08-16 10:21:01              , 2010-08-25 20:03:29
  Inode    : 2557249                          , 2557251
  MD5      : BdLDaZfcBrgocnf3yv50+Q==         , iohMnx7nF7bXsdGCREguww==
  RMD160   : gu0uoiPxVpLQiYTPAYddGDZCi6E=     , NEG8nSJjnsXBGasT1XteFFOtYoY=
  SHA256   : jF/g6ho4sQpZ99zf034bqg3LuJR9WJga , +xuE39+Tuhq4M8NA9SdJQ+ddIfE3uLHl

File: /etc/shadow
  Size     : 837                              , 925
  Mtime    : 2010-08-16 10:18:56              , 2010-08-25 20:03:48
  Ctime    : 2010-08-16 10:18:59              , 2010-08-25 20:03:48
  Inode    : 2557250                          , 2557249
  MD5      : /SpoHZDOSXI8frmcSQvXiw==         , lzUpBU5mS96h9Z4BYjQqtA==
  RMD160   : owRBIqPVCi93qzojv6lO77c8Rn4=     , C1EY+xcnrn/zOCQiItiPa/aNx4g=
  SHA256   : hAHAOAfj5B4AZkI0C3GmWCg4xL1d9E31 , KJaWiKaZ0giUYaeNGiu5CozSgwJt/60u

This is a new install and has not yet been connected to the network. All the build software has been installed from the DVD.

I did run an

Code:

rpm -qVa

and got a bunch of errors for MD5 BUT not listing 'S' as the error but '?'

Reading around I have found this maybe a bug and suggested running

Code:

prelink --all

now this did fix all the MD5 errors I got from RPM verify....

But since I have run AIDE again and came with all these file changes...

Question is would the running of prelink cause this and all I really need to do is update my AIDE database ???

anomie · 08-26-2010, 01:50 PM

prelink(8) operates on binaries and libraries. AFAIK, it should never, ever be performing work on /etc/group or /etc/shadow. (There is no reason for it to be.)

Have you added / removed a group, or modified group membership recently? Is it possible some user (i.e. you) has changed his password recently? Those scenarios would account for the HIDS report you're seeing.

FizzerJE · 08-26-2010, 02:09 PM

Mmm.. My bad.. Not the best examples (Actually looking at them probably the worst) those are the first entries.
Should have thought more about what I was posting.

Changed Files List (Yes users etc added , should have updated AIDE then)

Again my bad: Never used AIDE.

Code:

changed: /etc/group
changed: /etc/crontab
changed: /etc/shadow
changed: /etc/passwd
changed: /etc/prelink.cache
changed: /etc/fstab
changed: /etc/blkid/blkid.tab.old
changed: /etc/blkid/blkid.tab
changed: /etc/shadow-
changed: /etc/gshadow-
changed: /etc/gshadow
changed: /etc/aliases.db
changed: /etc/passwd-
changed: /etc/group-
changed: /var/log/cron
changed: /var/log/prelink/prelink.log
changed: /var/log/faillog
changed: /var/log/dmesg
changed: /var/log/cups/error_log
changed: /var/log/messages
changed: /var/log/secure
changed: /var/log/spooler
changed: /var/log/boot.log
changed: /var/log/rpmpkgs
changed: /var/log/maillog
changed: /var/log/lastlog
changed: /usr
changed: /usr/sbin
changed: /usr/sbin/lpasswd
changed: /usr/sbin/lchage
changed: /usr/sbin/userhelper
changed: /usr/sbin/userdel
changed: /usr/sbin/groupmod
changed: /usr/sbin/usermod
changed: /usr/sbin/lgroupmod
changed: /usr/sbin/lnewusers
changed: /usr/sbin/groupdel
changed: /usr/sbin/cc_test
changed: /usr/sbin/luserdel
changed: /usr/sbin/lgroupdel
changed: /usr/sbin/useradd
changed: /usr/sbin/cc_dump
changed: /usr/sbin/groupadd
changed: /usr/sbin/lusermod
changed: /usr/sbin/luseradd
changed: /usr/sbin/saslauthd
changed: /usr/sbin/aide
changed: /usr/sbin/lgroupadd
changed: /usr/lib
changed: /usr/lib/nss/unsupported-tools
changed: /usr/lib/gettext
changed: /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE
changed: /usr/lib/rpm
changed: /usr/lib/oddjob
changed: /usr/lib/syslinux
changed: /usr/lib/pm-utils/bin
changed: /usr/libexec
changed: /usr/libexec/awk
changed: /usr/libexec/getconf
changed: /usr/libexec/utempter
changed: /usr/bin
changed: /usr/bin/vdir
changed: /usr/bin/pkcs11_setup
changed: /usr/bin/setfattr
changed: /usr/bin/vim
changed: /usr/bin/rsync
changed: /usr/bin/pklogin_finder
changed: /usr/bin/crontab
changed: /usr/bin/lchfn
changed: /usr/bin/chage
changed: /usr/bin/amtu
changed: /usr/bin/dir
changed: /usr/bin/passwd
changed: /usr/bin/chacl
changed: /usr/bin/pkcs11_inspect
changed: /usr/bin/gpasswd
changed: /usr/bin/newgrp
changed: /usr/bin/afs5log
changed: /usr/bin/chsh
changed: /usr/bin/getfattr
changed: /usr/bin/lchsh
changed: /usr/bin/aulastlog
changed: /usr/bin/ausyscall
changed: /usr/bin/getfacl
changed: /usr/bin/pkcs11_eventmgr
changed: /usr/bin/install
changed: /usr/bin/chfn
changed: /usr/bin/attr
changed: /usr/bin/setfacl
changed: /usr/bin/consolehelper
changed: /root
changed: /root/.bashrc
changed: /root/.cshrc
changed: /boot.bak
changed: /lib
changed: /lib/libaudit.so.0.0.0
changed: /lib/dbus-1
changed: /lib/security
changed: /lib/security/pam_ccreds.so
changed: /lib/security/pam_krb5
changed: /lib/libacl.so.1.1.0
changed: /lib/libpam.so.0.81.5
changed: /lib/libattr.so.1.1.0
changed: /lib/udev
changed: /lib/libpam_misc.so.0.81.2
changed: /lib/libauparse.so.0.0.0
changed: /bin
changed: /bin/ls
changed: /bin/vi
changed: /bin/cp
changed: /bin/mv
changed: /bin/tar
changed: /bin/ping6
changed: /bin/login
changed: /sbin
changed: /sbin/pam_console_apply
changed: /sbin/runuser
changed: /sbin/pam_tally2
changed: /sbin/pam_tally
changed: /sbin/hwclock

Have added users... Modified cron.. Added aliases to .bashrc .cshrc and modified fstab. So I guess we are left with Binaries / libaries...

Just passed my Linux+ so you will have to bear with me, bit of a noob.

Apologies for the last example...

anomie · 08-26-2010, 02:29 PM

Quote:

Originally Posted by FizzerJE

This is a new install and has not yet been connected to the network. All the build software has been installed from the DVD.

Given that info, here's where you take a (rather modest) leap of faith, and assume the system is in a "known good" state. From here going forward, you need to have procedures in place to account for any changes your HIDS detects.

To substantially improve the noise-to-signal ratio, I suggest the following:

Prior to planned system changes (user, software, etc.) check your system against the HIDS DB. Account for any detected differences.
Make the system change.
Update the HIDS DB immediately after.

FizzerJE · 08-27-2010, 12:34 PM

Quote:

Originally Posted by anomie

I suggest the following:

Prior to planned system changes (user, software, etc.) check your system against the HIDS DB. Account for any detected differences.
Make the system change.
Update the HIDS DB immediately after.

Thanks...

Given my new experieance and my lack of knowledge this will help.

Unsure if I have a healthy paranoia... But the /home directory is in-tact from an old install. Thus preserving data.

I think I will do fresh install, and go with the updating schema you reccomend.
This time NOT including the old /home partion in the install until I have things up and running and can throughly check out what may be on there.

Sorry no leap of faith for me. But your advice is definatly taken on borad.

Off to read the best way of scanning a potentially infected /home diretory

Thanks

FizzerJE · 08-28-2010, 04:07 PM

I do not understand this...

I decided to do a new build and do things correct from the start.

A brand new build NO RE-BOOT, NO NETWORK.

The original /home partion still exsits but is not included in install options OR mounted.

On first boot I run the firstboot script.
SELINUX enforcing, remove SSH from trusts

Remove a few services from the default install (I untick the gnome install):

bluetooth
cups
firstboot
ip6tables
irqbalance
isdn
kudzu
readahead_early

Built a AIDE Database

Code:

/usr/sbin/aide --init

copied the new database over

Code:

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Also onto a USBStick

Run an AIDE check and all seems fine

Reboot run AIDE again it get these changes...

Code:

Changed files: 1117

changed: /etc/shadow
changed: /etc/aliases.db
changed: /etc/blkid/blkid.tab.old
changed: /etc/blkid/blkid.tab
changed: /etc/gshadow
changed: /etc/group
changed: /etc/passwd
changed: /var/log/lastlog
changed: /usr/sbin
changed: /usr/sbin/filefrag
changed: /usr/sbin/zdump
changed: /usr/sbin/ipppd
changed: /usr/sbin/yptest
changed: /usr/sbin/dmidecode
changed: /usr/sbin/pppoe-discovery
changed: /usr/sbin/rdev

----   TEXT CUT  ----

changed: /usr/libexec
changed: /usr/libexec/getconf
changed: /usr/libexec/getconf/POSIX_V6_ILP32_OFF32
changed: /usr/libexec/getconf/POSIX_V6_ILP32_OFFBIG
changed: /usr/libexec/hald-addon-acpi
changed: /usr/libexec/hal-storage-eject
changed: /usr/libexec/hal-storage-unmount
changed: /usr/libexec/gconf-sanity-check-2
changed: /usr/libexec/nm-dhcp-client.action
changed: /usr/libexec/hald-probe-storage
changed: /usr/libexec/gam_server
changed: /usr/libexec/hald-probe-volume
changed: /usr/libexec/nm-avahi-autoipd.action
changed: /usr/libexec/hald-probe-input
changed: /usr/libexec/hal-storage-cleanup-mountpoint
changed: /usr/libexec/nm-dispatcher.action
changed: /usr/libexec/hald-probe-printer
changed: /usr/libexec/hald-addon-macbookpro-backlight
changed: /usr/libexec/hald-addon-acpi-buttons-toshiba

----   TEXT CUT  ----

changed: /usr/bin
changed: /usr/bin/sha384hmac
changed: /usr/bin/getconf
changed: /usr/bin/grolj4
changed: /usr/bin/ecryptfs-manager
changed: /usr/bin/pkcs11_inspect
changed: /usr/bin/pathchk
changed: /usr/bin/msginit
changed: /usr/bin/tailf
changed: /usr/bin/lchsh
changed: /usr/bin/setfattr
changed: /usr/bin/hal-find-by-capability
changed: /usr/bin/wrjpgcom
changed: /usr/bin/yes
changed: /usr/bin/apmsleep
changed: /usr/bin/diff

----   TEXT CUT  ----

changed: /usr/bin/envsubst
changed: /usr/bin/sqlite3
changed: /usr/bin/getent
changed: /usr/bin/mkudffs
changed: /usr/bin/rx
changed: /usr/bin/hal-get-property
changed: /usr/bin/wvdial
changed: /usr/bin/uptime
changed: /usr/bin/fgconsole
changed: /usr/bin/lockfile

----   TEXT CUT  ----

changed: /usr/lib/liblber-2.3.so.0.2.31
changed: /usr/lib/libldap-2.3.so.0.2.31
changed: /usr/lib/libparted-1.8.so.0.0.1
changed: /usr/lib/libXcursor.so.1.0.2
changed: /usr/lib/liblftp-jobs.so.0.0.0
changed: /usr/lib/libatk-1.0.so.0.1212.0
changed: /usr/lib/libwvutils.so.4.2
changed: /usr/lib/librpmdb-4.4.so
changed: /bin
changed: /bin/mktemp
changed: /bin/dbus-cleanup-sockets
changed: /bin/vi
changed: /bin/doexec
changed: /bin/df
changed: /bin/gawk
changed: /bin/hostname
changed: /bin/env
changed: /bin/cat
changed: /bin/sed
changed: /bin/loadkeys

----   TEXT CUT  ----

changed: /bin/pwd
changed: /bin/sleep
changed: /bin/false
changed: /bin/mv
changed: /bin/mountpoint
changed: /bin/gzip
changed: /sbin
changed: /sbin/pcmcia-socket-startup
changed: /sbin/ifrename
changed: /sbin/ip
changed: /sbin/dosfslabel
changed: /sbin/modinfo
changed: /sbin/ip6tables

----   TEXT CUT  ----

changed: /sbin/iwevent
changed: /sbin/iwspy
changed: /sbin/pccardctl
changed: /sbin/mkswap
changed: /sbin/capiinit
changed: /sbin/request-key
changed: /sbin/mount.ecryptfs
changed: /sbin/dmraid
changed: /lib
changed: /lib/libm-2.5.so
changed: /lib/libgobject-2.0.so.0.1200.3
changed: /lib/libsepol.so.1
changed: /lib/libuuid.so.1.2
changed: /lib/libext2fs.so.2.4
changed: /lib/libss.so.2.0

----   TEXT CUT  ----

changed: /lib/libauparse.so.0.0.0
changed: /lib/libblkid.so.1.0
changed: /lib/libgthread-2.0.so.0.1200.3
changed: /lib/libgmodule-2.0.so.0.1200.3
changed: /lib/libdmraid.so.1.0.0.rc13-17

They are all changed in file size...

Unsure if I am having a healthy paranoia.. But should I be rebooting and running and AIDE -init ???
Is it normal for this to happen...

Am I doing something wrong here?

ALSO. Anyone got a link to best way to scan a partion for nasties without connecting to a network BUT having an upto date database for virus / malware / rootkit sigs.

anomie · 08-30-2010, 03:38 PM

For starters, your aide.conf should contain something like:

Code:

LOG = p+u+g+acl+xattrs+ANF
...
/var/log   LOG
!/var/log/sa
!/var/log/aide.log

The last two lines are negation examples taken from my own aide.conf. It sounds like your configuration may be too sensitive if it's picking up lastlog.

A couple others things:

RHEL/CentOS rebuilds /etc/aliases.db at boot time (so you're going to need to not monitor aliases.db or get used to the idea of seeing it in reports after a reboot)
Ditto for /etc/blkid/blkid.tab and /etc/blkid/blkid.tab.old. Both may be modified at boot time.

As for binary sizes changing after a reboot..? And /etc/passwd, /etc/shadow, and /etc/group..? That's not right. Are you sure you didn't install some packages between the time you created the AIDE DB and the time you checked against it?

FizzerJE · 09-20-2010, 05:04 AM

Quote:

Originally Posted by anomie

RHEL/CentOS rebuilds /etc/aliases.db at boot time (so you're going to need to not monitor aliases.db or get used to the idea of seeing it in reports after a reboot)
Ditto for /etc/blkid/blkid.tab and /etc/blkid/blkid.tab.old. Both may be modified at boot time.

Thanks...

Strangly I have gone back to working on this pre-production server for home use, been busy studying for exams.

Just doing a Google search on aliases.db which has changed since reboot and found my post.

Yes my config is too sensitive but as you say all those file changes are a bit off....

Past few days I have looked into this and I think I have sorted it. But need to test more.

Down to a combination of 'prelink' and SELinux I think.

Currently I have turned prelink off, and making sure my linux box is SELinux 'Enforcing' for now.

I will update if this works.

Thanks for the help, but it is still ongoing.

FizzerJE · 09-21-2010, 04:09 PM

All looks to work as expected now that prelink is disabled...

Anyone coming across this.

Code:

Disable Prelink
    /etc/sysconfig/prelink
        PRELINKING=no

Maybe run

Code:

prelink -ua

But this did not revert the state of files back for me.

Thanks for help and tips.

unSpawn · 09-21-2010, 05:22 PM

Quote:

Originally Posted by FizzerJE

Code:

prelink -ua

But this did not revert the state of files back for me.

The prelink cronjob has a 'if [ "$PRELINKING" != yes ]; then' section which executes '/usr/sbin/prelink -uav >> /var/log/prelink/prelink.log 2>&1' and you didn't post back any details wrt the "did not revert" part so there's nothing that can be said about that. (Since Aide and prelinking seems a recurring topic and anomie plays a part there as well I'm also linking in this and that thread as people still seem to have problems searching LQ...)