Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection. I have an aide0.12 binary for Slackware and it installed ok. It needs an aide.conf file...could someone post a sample for somebody fairly new to the server world? I installed Slackware 11 without an X session.
I got aide using yum on my Fedora Core box and it came with a sample aide.conf file:
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:hostort:database:login_nameasswd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
# You can create custom rules like this.
NORMAL = R+b+sha1
DIR = p+i+n+u+g
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc p+i+u+g
!/etc/mtab
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/var/log p+n+u+g
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.
Last edited by unSpawn; 10-15-2006 at 07:26 AM.
Reason: //restore 0-reply status
I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection.
Ten bonus points for doing the right thing...
I got aide using yum on my Fedora Core box and it came with a sample aide.conf file (..) I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.
As you can see the NORMAL rule WILL cause a lot of static when used on the contents of /etc because you'll be (re)configuring stuff and normal ops will change some stuff. So basically you want to do a "minimal" check as was offered in the default config:
Code:
ETC = p+i+u+g+sha1
VOLATILE = p+u+g
and then add custom rules to tweak often changed files (these are just examples, OK):
Next to that some root directories aren't checked (/opt, /misc, /initrd): see if you want to include those. /tmp and /var/tmp and other dir contents aren't checked as well, and you will not want that because they will cause a lot of static as well, but being paranoid you might want to check the dir entries themselves:
Code:
=/mnt$ DIR
=/home$ DIR
=/var/log$ DIR
=/tmp$ DIR
=/var/tmp$ DIR
=/lost\+found
* Note there's a lost+found on every partition.
Once the reconfig/update dust is settled and your server is production-ready run a check, add custom rules to your servers aide.conf and initialise the database. Finally make certain you stash a copy of the binary, all configs and databases off-site.
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
Thanks-that helps! I was thinking I need to refine my aide.conf and cut back on /etc like you mentioned since my old 200 MHz pc takes 45 minutes to an hour to do the aide --check.
Last edited by linuxhippy; 10-15-2006 at 02:48 PM.
AIDE is out of control
Aide is well-tested, supported and actively maintained (new release was out a week ago). It is configurable and fast. It can check a lot of details which, especially on distributions with a rudimentary out of the box package management system like Slackware, can only be a good thing. Can't even compare your md5sum+spreadsheet "solution" with that.
ah, I realized I should've had = signs there and changed norm to normal.
I didn't see you edit your previous post to reflect local changes?
wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL.
Apart from QEMU lag this can even be faster if you're more precise on what to check.
# Here are some recommended declaration's from unspawn/LQ
# He write's “As you can see the NORMAL rule WILL cause a
# lot of static when used on the contents of /etc because
# you'll be (re)configuring stuff and normal ops will change
# some stuff. So basically you want to do a "minimal" check
# as was offered in the default config”
Depends on how volatile the contents are and how exposed the box is (multiple admins, public accessable box). If it's just a few files, then strict checking should be done because it's easy to give only that few exceptions the lesser strict treatment. If you opt for overall "weak" checking of /etc, then I suggest you at least give these (and any other access and auth related files) the full check attribs:
/etc/passwd
/etc/group
/etc/gshadow
/etc/shadow
/etc/sudoers
# I suppose this is the master rule to apply to any/and or all
# files and folder's unless explicitly defined otherwise herein?
#Selection regexp rule
@@{TOPDIR}/.* Norm
May be personal, but I never used these. If you do it relies on declaration of
Code:
@@ifndef TOPDIR
@@define TOPDIR /
@@endif
at the top of your aide.conf (you didn't post the whole config), then tune the other regex rules, because !@@{TOPDIR}/.*~
I definately would want to know about edit leftovers in the root, and !@@{TOPDIR}/src/.*\.o
I don't have any /src dir, let alone /src/*.o files.
/home$ DIR
Isn't the notation "=/home$"?
/sys
You don't scan /proc, but you do scan /sys.
Any particular reason why?
/var/log p+n+u+g
Recursive scan of /var/log, but no files are scanned with the "S" attribute.
Doesn't this give a load of alerts?
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
Quote:
Originally Posted by Old_Fogie
hi all,
linuxhippy where do you put the aide.conf file for your slack 11? There is a sample config file in the readme.html, but they don't say where it goes.
I keep my aide.conf, aide.db.gz, aide binary, and aide source on a read-only usb thumb drive. I then execute the binary off the usb and tell it that the conf is on the /mnt/sda1/aide directory on my thumb drive. It writes the new db file and log file on my harddrive which I then move to my thumb drive once it is writable. I then remove the thumb drive from my pc so that intruders wouldn't know what directories on my pc are being checked. I should burn the db file on a cd I'd imagine.
/sys
You don't scan /proc, but you do scan /sys.
Any particular reason why?
I was merely guessing (cuz I am not really well versed) that I would encounter long scans of the /proc and /dev directories like I did when I tried using the find command and checksum that way w/a slax live cd.
I had said: It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.
to which you had said :Its a waste of time to hash /proc and /dev contents.
So I was kind of interpreting that to mean that even with AIDE I might have the same issue, so I was leaving it out. as well, I really don't know what I'm doing ...but I'm trying
Ok I will add them in and make the other corrections you shown there, and then make a new database and rescan and see then post my configuration.
I'm really shooting to just make this for a typical home user baseline setup and I actually would like to submit it to LQ for newcomer's like myself .
Thank you alot unspawn I really really appreciate your help here.
@linuxhippy: I actually had to dig out a camera flash card I didnt realize that an un gzipped db was going to be 28 meg for a "full-noob install" of slackware. IIlater gzipped it using cli interfacae and it dropped down to about 8 meg. I wonder if AIDE supports bzip that might be even samaller. think your idea of the cd to have the binary, the manuals, source install tarballs is a good idea. I think I'm going to build this as 'static' and burn that way.
ps..gosh this firefox 2.0 with typping textt s brutal I gotta a put back in my old version. it most certainly is not 'wysiwig'
I really don't know what I'm doing ...but I'm trying
Oh well, you're doing great.
I wonder if AIDE supports bzip that might be even samaller.
Just add a request on Aide's SF tracker (http://sourceforge.net/tracker/?grou...76&atid=581582) or the SF Aide-devel mailinglist. The developers are exceptionally friendly and professional.
The previous post I made seems to be pretty nice for my needs.
In my /mnt on one computer I have two partitions, that are solely for data from users. What would be a good check on that? I thought it was pretty neat the above caught the fact that I plugged in my thumbdrive doo hickey too.
Are there any recommendations for applications like rkhunter's database? Not sure how I would address that one either.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.