LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-28-2007, 10:54 AM   #1
shjrgray
LQ Newbie
 
Registered: Aug 2006
Distribution: centos 5
Posts: 6

Rep: Reputation: 0
interpreting aide output -- sudo changed?!


Hi all,

I am a newbie hobbyist-level sysadmin and just installed aide for the first time (on CentOS 5), and like it a lot. (unfortunately I only set up aide after a couple weeks or so after I had the box connected to the internet, so my baseline for changes is not fully trustworthy.) I think I should have a pretty secure set up: a firewall, all ports closed except ssh (22), lots of extra services turned off, selinux enforcing, no root login, tcpwrappers. I have some other users, but have not given them the root password, and I have not downloaded software except for nomachine's nxclient, which I figure should be reasonably safe (although I wish they had md5 checksums, which they don't, argh). (I have added a couple other boring packages via yum install, like nx and freenx, and have matlab.) so I think it should be a relatively secure setup.

in the aide reports (generated hourly by cron in the event of a change), how do I know what changes to worry about? I have googled for something like a list of "if you are monitoring /etc, and you see /etc/<example> changed, it probably means y, or you might want to check whether....". is there such a list somewhere? what motivates me is recent changes to /usr/bin/sudo, which I was not expecting.

I have aide configured to monitor /etc, and see that /etc/prelink.cache changed, which I am guessing is due to having installed some new software (I did install some), so I am guessing that the prelink cache was updated. so I am not worried about that.

however, aide squawks about /usr/bin/sudo and sudoedit having changed, which happened between 4am and 5am. I don't like the look of this, but then maybe it was due to cron.daily or weekly firing off at 4:02am (or 4:22am) as crontab has:

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

in a ls -l I don't see anything obvious about the files themselves that has changed (permissions, size, date), but obviously if the box is compromised then all bets are off on relying on ls output:
---s--x--x 2 root root 159096 Jan 6 18:41 /usr/bin/sudo
---s--x--x 2 root root 159096 Jan 6 18:41 /usr/bin/sudoedit

is there something normal that SHOULD change /usr/bin/sudo and sudoedit through a cron.daily / weekly job on CentOS 5 (the way that adding a package would change prelink.cache)? or has my happy little box been pwned, perhaps by some blackhat guessing correctly that I would have the default time values in crontab, and so knew that would be a good time for mischief?

and, anticipating future messages from aide about changes, is there something somewhere about interpreting aide output--what events are expected to trigger changes? under what conditions should key system files be expected to change?

thanks much!

Last edited by shjrgray; 05-28-2007 at 11:07 AM.
 
Old 05-29-2007, 02:02 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I am no security expert, but here are my two cents worth. Evaluate them for what they are worth.

I can think of no reason why sudo would have changed unless it was from a software update. In which case, I would have expected its modification date to have changed. This would generally be true of all binaries (executables). But you might want to consider whether a (possibly automatic) update occurred.

You can use a live CD to get a reliable reports about size, dates and anything else, since the live CD will be using guaranteed uncompromised utilities. I also know that the Knoppix live CD contains a copy of chkrootkit. You can run it from the CD with the -r option to check your hard drive.

As far as security holes in your configuration go, you might want to check out your ssh configuration. There are plenty of articles on the Internet about securing it. While I have not seen too much on my home setup, reports are that there are constant attacks looking for weak ssh configurations, weak passwords, etc.

EDIT: I did not mean to imply that chkrootkit is the only tool worth using for checking for compromise or that chkrootkit's finding no problem means that your system is not compromised. But it is a tool that I know exists on Knoppix. You might want to check out some of the specifically security oriented live CDs also.

EDIT2: While running ls from a live CD will give you accurtate reports about the time stamps on a file, that is no guarantee that the times contained in the filesystem were not forged. But I think the size would have to be accurate.

Last edited by blackhole54; 05-29-2007 at 02:14 AM.
 
Old 05-29-2007, 11:11 PM   #3
shjrgray
LQ Newbie
 
Registered: Aug 2006
Distribution: centos 5
Posts: 6

Original Poster
Rep: Reputation: 0
thanks blackhole54, I've burned a Knoppix security cd, will play with it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help interpreting Strace output rajesh_b_2k Linux - Kernel 0 12-18-2006 10:14 PM
interpreting output of pmap on Linux kernel 2.4 rhegde Linux - General 0 08-20-2006 01:32 AM
Need help interpreting tcpdump output line wrw3 Linux - Networking 0 10-29-2005 07:47 PM
Interpreting the output of 'lspci' command. drminix Linux - Hardware 2 06-14-2005 03:20 AM
interpreting iwconfig output: signal strength, etc ahz10 Linux - Wireless Networking 1 04-11-2005 06:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration