date:20031212

Re: aide, apt-get and remote management...

2003-12-12 Thread Adam ENDRODI

On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote:
> 
> We don't use AIDE exclusively at a client site, but in combination
> with Tripwire.  We think tripwire is a little more secure becuse it
> uses signed databases.

Perhaps the following ./configure options will prove themselves
useful:
--with-confighmactype=TYPEHash type to use for checking config.
  Valid values are md5 and sha1.
--with-confighmackey=KEY HMAC hash key to use for checking config.
  Must be a base64 encoded byte stream.
  Maximum string length is 31 chars.
--with-dbhmactype=TYPEHash type to use for checking db.
  Valid values are md5 and sha1.
--with-dbhmackey=KEY  HMAC hash key to use for checking db.
  Must be a base64 encoded byte stream.
  Maximum string lentgth is 31 chars.
--enable-forced_configmd  Forces the config to have checksum.
  Also disables --config-check
--enable-forced_dbmd  Forces the file/pipe database's to have checksum.
  This will be the default in the next release.

bit,
adam

-- 
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever?| 82DD 54C2 843D 37B8 D989
Renegade?  | http://sks.dnsalias.net


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2003-12-12 Thread Lupe Christoph

Hello!

We don't use AIDE exclusively at a client site, but in combination
with Tripwire.  We think tripwire is a little more secure becuse it
uses signed databases. So we protect aide.db with Tripwire. AIDE is
used for the parts tripwire can't do because of it's limited
configurability.

Here is an AIDE policy we use at the client site:

=/root$ StaticDir
/root/.bash_history Databases
/root/.ncftp/prefs ConfFiles
/root/.ncftp/firewall ConfFiles
/root/.ncftp/prefs_v3 ConfFiles
/root/.ncftp Databases
/root/.razor/razor-agent.conf ConfFiles
/root/.razor/ Databases
/root/.spamassassin Databases
/root/.viminfo Databases
/root/ ConfFiles

/etc$ StaticDir
/etc/ntp.drift Databases
/etc/ ConfFiles

/dev$ StaticDir
/dev/ Databases
=/dev/pts$ StaticDir
!/dev/pts/

/var/run$ StaticDir
/var/run/ Databases

=/etc/tripwire$ R-tiger-rmd160-sha1
/etc/tripwire/pinot-local.key   R
/etc/tripwire/site.key  R
/etc/tripwire/tw.cfgR
/etc/tripwire/twcfg.txt R
/etc/tripwire/twpol.txt E+p+n+u+g
/etc/tripwire/tw.polE+p+n+u+g
/etc/tripwire/tw.pol.bakE+p+n+u+g


This is the twpol.txt:

#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
  rulename = "Critical system boot files",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
/boot   -> $(SEC_CRIT) ;
/lib/modules-> $(SEC_CRIT) ;
}
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
/bin-> $(SEC_BIN) ;
/sbin   -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
/lib-> $(SEC_BIN) ;
}
#
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
/var/lock   -> $(SEC_CONFIG) ;
#   /var/run-> $(SEC_CONFIG) ; # daemon PIDs
#   /var/log-> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
/dev-> $(Device) ;
!/dev/pts ;
#   /proc   -> $(Device) ;
/proc/bus   -> $(Device) ;
/proc/cmdline   -> $(Device) ;
/proc/cpuinfo   -> $(Device) ;
/proc/devices   -> $(Device) ;
/proc/dma   -> $(Device) ;
/proc/driver-> $(Device) ;
/proc/execdomains   -> $(Device) ;
/proc/fb-> $(Device) ;
/proc/filesystems   -> $(Device) ;
/proc/fs-> $(Device) ;
/proc/ide   -> $(Device) ;
/proc/interrupts-> $(Device) ;
/proc/iomem -> $(Device) ;
/proc/ioports   -> $(Device) ;
/proc/irq   -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/kmsg  -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg   -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/mdstat-> $(Device) ;
/proc/meminfo   -> $(Device) ;
/proc/misc  -> $(Device) ;
/proc/modules   -> $(Device) ;
/proc/mounts-> $(Device) ;
/proc/mtrr  -> $(Device) ;
/proc/net   -> $(Device) ;
/proc/partitions-> $(Device) ;
/proc/pci   -> $(Device) ;
/proc/self  -> $(Device) ;
/proc/slabinfo  -> $(Device) ;
/proc/stat  -> $(Device) ;
/proc/swaps -> $(Device) ;
/proc/sys   -> $(Device) ;
/proc/sysvipc   -> $(Device) ;
/proc/tty   -> $(Device) ;
/proc/uptime-> $(Device) ;
/proc/version   -> $(Device) ;
}
#
# Binaries
#
(
  rulename = "Other binaries",
  severity = $(SIG_MED),
  emailto  = "tripwire-reports"
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin  -> $(SEC_BIN) ;
/usr/sbin   -> $(SEC_BIN) ;
/usr/bin-> $(SEC_BIN) ;
}
#
# Libraries
#
(
  rulename = "Other libraries",
  severity = $(SIG_MED),
  emailto  = "tripwire-reports"
)
{
/usr/local/lib  -> $(SEC_BIN) ;
/usr/lib-> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
  rulename = "Invari

Re: aide, apt-get and remote management...

2003-12-12 Thread Adam ENDRODI

On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote:
> 
> We don't use AIDE exclusively at a client site, but in combination
> with Tripwire.  We think tripwire is a little more secure becuse it
> uses signed databases.

Perhaps the following ./configure options will prove themselves
useful:
--with-confighmactype=TYPEHash type to use for checking config.
  Valid values are md5 and sha1.
--with-confighmackey=KEY HMAC hash key to use for checking config.
  Must be a base64 encoded byte stream.
  Maximum string length is 31 chars.
--with-dbhmactype=TYPEHash type to use for checking db.
  Valid values are md5 and sha1.
--with-dbhmackey=KEY  HMAC hash key to use for checking db.
  Must be a base64 encoded byte stream.
  Maximum string lentgth is 31 chars.
--enable-forced_configmd  Forces the config to have checksum.
  Also disables --config-check
--enable-forced_dbmd  Forces the file/pipe database's to have checksum.
  This will be the default in the next release.

bit,
adam

-- 
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever?| 82DD 54C2 843D 37B8 D989
Renegade?  | http://sks.dnsalias.net

Re: aide, apt-get and remote management...

Re: aide, apt-get and remote management...

Re: aide, apt-get and remote management...

3 matches

Site Navigation

Mail list logo

Footer information