LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2006, 08:15 PM   #1
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207

Rep: Reputation: 47

I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection. I have an aide0.12 binary for Slackware and it installed ok. It needs an aide.conf file...could someone post a sample for somebody fairly new to the server world? I installed Slackware 11 without an X session.

I got aide using yum on my Fedora Core box and it came with a sample aide.conf file:

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:hostort:database:login_nameasswd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:/var/log/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S

# You can create custom rules like this.

NORMAL = R+b+sha1

DIR = p+i+n+u+g

# Next decide what directories/files you want in the database.

/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc p+i+u+g
!/etc/mtab
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL

/var/log p+n+u+g

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR

I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.

Last edited by unSpawn; 10-15-2006 at 06:26 AM. Reason: //restore 0-reply status
 
Old 10-15-2006, 08:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection.
Ten bonus points for doing the right thing...


I got aide using yum on my Fedora Core box and it came with a sample aide.conf file (..) I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.
As you can see the NORMAL rule WILL cause a lot of static when used on the contents of /etc because you'll be (re)configuring stuff and normal ops will change some stuff. So basically you want to do a "minimal" check as was offered in the default config:
Code:
ETC = p+i+u+g+sha1
VOLATILE = p+u+g
and then add custom rules to tweak often changed files (these are just examples, OK):
Code:
/etc ETC
/etc/adjtime VOLATILE
/etc/mtab VOLATILE
/etc/snort VOLATILE
Next to that some root directories aren't checked (/opt, /misc, /initrd): see if you want to include those. /tmp and /var/tmp and other dir contents aren't checked as well, and you will not want that because they will cause a lot of static as well, but being paranoid you might want to check the dir entries themselves:
Code:
=/mnt$ DIR
=/home$ DIR
=/var/log$ DIR
=/tmp$ DIR
=/var/tmp$ DIR
=/lost\+found
* Note there's a lost+found on every partition.

Once the reconfig/update dust is settled and your server is production-ready run a check, add custom rules to your servers aide.conf and initialise the database. Finally make certain you stash a copy of the binary, all configs and databases off-site.
 
Old 10-15-2006, 01:47 PM   #3
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207

Original Poster
Rep: Reputation: 47
Thanks-that helps! I was thinking I need to refine my aide.conf and cut back on /etc like you mentioned since my old 200 MHz pc takes 45 minutes to an hour to do the aide --check.

Last edited by linuxhippy; 10-15-2006 at 01:48 PM.
 
Old 10-24-2006, 01:14 AM   #4
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
hi all,

linuxhippy where do you put the aide.conf file for your slack 11? There is a sample config file in the readme.html, but they don't say where it goes.

edit: don't bother, I'm gonna md5 the drive and use a spreadsheet, AIDE is out of control, bye for now.

Last edited by Old_Fogie; 10-24-2006 at 01:57 AM.
 
Old 10-24-2006, 05:53 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
AIDE is out of control
Aide is well-tested, supported and actively maintained (new release was out a week ago). It is configurable and fast. It can check a lot of details which, especially on distributions with a rudimentary out of the box package management system like Slackware, can only be a good thing. Can't even compare your md5sum+spreadsheet "solution" with that.
 
Old 10-25-2006, 03:28 PM   #6
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
removed not to confuse others. will have to revisit this.

Last edited by Old_Fogie; 08-02-2007 at 11:14 AM.
 
Old 10-26-2006, 12:07 AM   #7
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
ah, I realized I should've had = signs there and changed norm to normal.

wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL.

edit: came back and fixed my spelling. something is wierd with new firefox 2.0 for me, text get's garbled up.

Last edited by Old_Fogie; 10-26-2006 at 12:11 AM.
 
Old 10-26-2006, 06:44 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
ah, I realized I should've had = signs there and changed norm to normal.
I didn't see you edit your previous post to reflect local changes?


wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL.
Apart from QEMU lag this can even be faster if you're more precise on what to check.


# Here are some recommended declaration's from unspawn/LQ
# He write's “As you can see the NORMAL rule WILL cause a
# lot of static when used on the contents of /etc because
# you'll be (re)configuring stuff and normal ops will change
# some stuff. So basically you want to do a "minimal" check
# as was offered in the default config”

Depends on how volatile the contents are and how exposed the box is (multiple admins, public accessable box). If it's just a few files, then strict checking should be done because it's easy to give only that few exceptions the lesser strict treatment. If you opt for overall "weak" checking of /etc, then I suggest you at least give these (and any other access and auth related files) the full check attribs:
/etc/passwd
/etc/group
/etc/gshadow
/etc/shadow
/etc/sudoers


# I suppose this is the master rule to apply to any/and or all
# files and folder's unless explicitly defined otherwise herein?
#Selection regexp rule
@@{TOPDIR}/.* Norm

May be personal, but I never used these. If you do it relies on declaration of
Code:
@@ifndef TOPDIR
@@define TOPDIR /
@@endif
at the top of your aide.conf (you didn't post the whole config), then tune the other regex rules, because
!@@{TOPDIR}/.*~
I definately would want to know about edit leftovers in the root, and
!@@{TOPDIR}/src/.*\.o
I don't have any /src dir, let alone /src/*.o files.


/home$ DIR
Isn't the notation "=/home$"?


/sys
You don't scan /proc, but you do scan /sys.
Any particular reason why?


/var/log p+n+u+g
Recursive scan of /var/log, but no files are scanned with the "S" attribute.
Doesn't this give a load of alerts?
 
Old 10-26-2006, 12:26 PM   #9
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by Old_Fogie
hi all,

linuxhippy where do you put the aide.conf file for your slack 11? There is a sample config file in the readme.html, but they don't say where it goes.
I keep my aide.conf, aide.db.gz, aide binary, and aide source on a read-only usb thumb drive. I then execute the binary off the usb and tell it that the conf is on the /mnt/sda1/aide directory on my thumb drive. It writes the new db file and log file on my harddrive which I then move to my thumb drive once it is writable. I then remove the thumb drive from my pc so that intruders wouldn't know what directories on my pc are being checked. I should burn the db file on a cd I'd imagine.
 
Old 10-26-2006, 10:16 PM   #10
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Hello Gent's,

Thank you for the replies.

@unspawn:
Quote:
/sys
You don't scan /proc, but you do scan /sys.
Any particular reason why?
I was merely guessing (cuz I am not really well versed) that I would encounter long scans of the /proc and /dev directories like I did when I tried using the find command and checksum that way w/a slax live cd.

We spoke about this here:
http://www.linuxquestions.org/questi...p?t=491396#top

I had said:
It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.

to which you had said :Its a waste of time to hash /proc and /dev contents.

So I was kind of interpreting that to mean that even with AIDE I might have the same issue, so I was leaving it out. as well, I really don't know what I'm doing ...but I'm trying

Ok I will add them in and make the other corrections you shown there, and then make a new database and rescan and see then post my configuration.

I'm really shooting to just make this for a typical home user baseline setup and I actually would like to submit it to LQ for newcomer's like myself .

Thank you alot unspawn I really really appreciate your help here.

@linuxhippy: I actually had to dig out a camera flash card I didnt realize that an un gzipped db was going to be 28 meg for a "full-noob install" of slackware. IIlater gzipped it using cli interfacae and it dropped down to about 8 meg. I wonder if AIDE supports bzip that might be even samaller. think your idea of the cd to have the binary, the manuals, source install tarballs is a good idea. I think I'm going to build this as 'static' and burn that way.

ps..gosh this firefox 2.0 with typping textt s brutal I gotta a put back in my old version. it most certainly is not 'wysiwig'
 
Old 10-27-2006, 03:41 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I really don't know what I'm doing ...but I'm trying
Oh well, you're doing great.


I wonder if AIDE supports bzip that might be even samaller.
Just add a request on Aide's SF tracker (http://sourceforge.net/tracker/?grou...76&atid=581582) or the SF Aide-devel mailinglist. The developers are exceptionally friendly and professional.
 
Old 10-27-2006, 05:05 AM   #12
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
OKAY! Here Is My Work In Progress :D

edited, a few months later not really liking what I have removed not to confuse others.

Last edited by Old_Fogie; 08-02-2007 at 11:11 AM.
 
Old 11-02-2006, 04:45 AM   #13
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
Hi all,

Just an update and question.

The previous post I made seems to be pretty nice for my needs.

In my /mnt on one computer I have two partitions, that are solely for data from users. What would be a good check on that? I thought it was pretty neat the above caught the fact that I plugged in my thumbdrive doo hickey too.

Are there any recommendations for applications like rkhunter's database? Not sure how I would address that one either.

thank you in advnace
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
tripwire vs. aide ddaas Linux - Security 12 06-03-2005 11:43 AM
how to configure Aide? moonloader Linux - Software 5 08-18-2004 07:24 PM
AIDE Probs in HP-Ux opensrc_eng Linux - Security 1 02-12-2004 01:09 PM
aide conf f1uke Linux - Security 1 07-29-2003 07:38 PM
aide cuckoopint Linux - Security 3 04-22-2003 02:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration