Re: AIDE Information Overload
On 2002/10/22 04:27:26PM +0200, Tue, Kjetil Kjernsmo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. But I'm working a lot on the system these days, so the output just keeps growing out of hand really quick. I get a Too Much Information problem within a week of having created the database. Last night's output was close to 3000 lines, but I've had up to 6 lines of output there... I find it hard to keep up at all when the output exceeds a hundred lines. So, I've got to do something, but I don't really understand what. aide --update, ok, but what does that really mean? It just creates a new database to compare with the old, but then, I should keep the old, because there are too many changes for me to keep up and be certain that nothing Bad[tm] as slipped in But if I do, the problem just keeps growing... So I hope the kind folks here can offer some advice... :-) Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV w81q6a0R1km8GbjxGTcZFng= =sOls -END PGP SIGNATURE- i've only got 20 or so servers to deal with but i know what you mean. i use a shell script to create system backups, i added an option to it todo an aide backup which basically consists of 'tar -cvpWf aide.$date.tar /var/lib/aide/aide.db /etc/aide/aide.conf /usr/bin/aide /var/cache/apt/archives/aide_*.deb' then scp that to a backup server where it goes through my normal process, except these files never get deleted from disk/tape. so i can always go back and see what happened if needed. i also like to keep a separate mbox for each server where i can save all the interesting logcheck, aide, etc output. as far as keeping things small, i usually just do a aide --update the day after i've made any changes, i go through the output to make sure the only changes are what i expected. hope this helps msg07488/pgp0.pgp Description: PGP signature
Re: AIDE Information Overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. ... I use aide on several machines but it is not really usefull on for example a Debian/unstable machine or a machine that has a lot of changing files where aide is used to inspect development files. The approach I take is that when aide reports some changes I check that the changes are normal, optionally change aide.conf if the changes are regular and appropriate. After that I regenerate the database and save it as aide.db.mmdd and provide a symlink to aide.db. Apart from that I also use tools like debsums to keep me informed of integrity (although a lot of packages don't provide all or correct md5sums) (maybe I should file some bugreports for wrong md5sums) - -- arthur - [EMAIL PROTECTED] - http://tiefighter.et.tudelft.nl/~arthur -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9tWUfVYan35+NCKcRAvTEAJ0SUrVSNwRgo2bgGmK5ea12Yb6OdQCfXfq5 JiY7Y3OOzlClgLBqwb8bAcg= =zYNE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AIDE Information Overload
Arthur de Jong [EMAIL PROTECTED] writes: On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. I use aide on several machines but it is not really usefull on for example a Debian/unstable machine or a machine that has a lot of changing files where aide is used to inspect development files. I use it here on a basically Testing box - I've just automated the daily upgrade process so that it re-runs aide immediately after the dist-upgrade. That way I get all changes to important bits of the filesystem since the last package upgrade every day in the mail. (It's partly a matter of policy to use this script rather than wedging things by hand.) #!/bin/sh PATH=/sbin:/usr/sbin:/bin:/usr/bin ; export PATH apt-get update chmod -R og=rX /var/lib/apt/lists /var/cache/apt/archives nice apt-get -u dist-upgrade echo echo All done. Now running AIDE echo cd /var/lib/aide nice nice aide -i mv aide.db.new aide.db echo Cool echo ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AIDE Information Overload
On Tue, 22 Oct 2002, Arthur de Jong wrote: Apart from that I also use tools like debsums to keep me informed of integrity (although a lot of packages don't provide all or correct md5sums) (maybe I should file some bugreports for wrong md5sums) you also might want to checkout tiger, it will run debsums and it can check your currently installed packages for security advisories as well as a few other general security checks. although i've never seen an email about security advisories, so i'm either missing something or really quick to update i like the idea of bugreports for missing md5sums, a few i'd really like to see are sysvinit, bash, dpkg(?) msg07491/pgp0.pgp Description: PGP signature
Re: AIDE Information Overload
Hi all, I'm not providing an answer, but rather asking another question on this topic. Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? Under normal system use, certain files do change (e.g. /etc/mtab, /dev/tty*). Including these files in the integrity checker's database will certainly produce spurious warning about file modification each time the checker is run. So what files are safe to exclude? Is it really necessary to check for modifications to /usr/share/doc/* ? I've used tripwire but haven't used aide, so if aide automatically handles changeable system files this is a moot question. Dion. -- Dion's Maxim: If you are ever surprised at just how stupid people can be, then you haven't understood Dion's Maxim. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AIDE Information Overload
[EMAIL PROTECTED] (Dion Mendel) writes: I'm not providing an answer, but rather asking another question on this topic. Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? Under normal system use, certain files do change (e.g. /etc/mtab, That does? Maybe on your box if you're [u]mounting things a lot, I suppose, but that's not always the case. If it causes you hassle, ignore it by all means :8) /dev/tty*). Including these files in the integrity checker's database will certainly produce spurious warning about file modification each time the checker is run. So what files are safe to exclude? Is it really necessary to check for modifications to /usr/share/doc/* ? I would say that it's possible a file could be created in any of those directories (c.f. where various trojans and worms and kits put their files by default - /dev/.lib/, /usr/lib/ and so on), therefore it should be checked. Run aide frequently and keep the number of files changed down by refreshing the database every thing you dist-upgrade; also, get used to what it tells you - e.g. /dev/console and a few others changing is indicative of a reboot, you soon get used to identifying that. I've compromised on avoiding checking all of: | zsh/scr, potato 5:06PM # grep '^!' /etc/aide/aide.conf | !/var/log/snort | !/dev/pts | !/var/run | !/home but anything else is most definitely being checked, with various combinations of options as per the default config file. I've used tripwire but haven't used aide, so if aide automatically handles changeable system files this is a moot question. It handles them if you set it up properly ;8) ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AIDE Information Overload
On Tue, Oct 22, 2002 at 11:36:06PM +0800, Dion Mendel wrote: Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? I don't typically exclude many files, but I often limit the changes that tripwire notifies me about. For example, if one of my users changes their password, I don't need to know that the md5 checksum of /etc/shadow has changed. However, if the link count, ownership, or permissions of /etc/shadow change, I want to know about it. Configuring tripwire is fairly easy for this type of thing. I'll happily share bits of my policy file if you want. I have very little experience with AIDE, so I don't know if it's possible to do this type of thing with it. I installed it for a short while and found it unpleasant to work with. I found tripwire to be superior, and contarary to popular belief, it is at least as free as AIDE. See www.tripwire.org. And note that this is not the same tripwire that shipped with potato. That version was ancient and slow and bad. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07497/pgp0.pgp Description: PGP signature
Re: AIDE Information Overload
On 2002/10/22 04:27:26PM +0200, Tue, Kjetil Kjernsmo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. But I'm working a lot on the system these days, so the output just keeps growing out of hand really quick. I get a Too Much Information problem within a week of having created the database. Last night's output was close to 3000 lines, but I've had up to 6 lines of output there... I find it hard to keep up at all when the output exceeds a hundred lines. So, I've got to do something, but I don't really understand what. aide --update, ok, but what does that really mean? It just creates a new database to compare with the old, but then, I should keep the old, because there are too many changes for me to keep up and be certain that nothing Bad[tm] as slipped in But if I do, the problem just keeps growing... So I hope the kind folks here can offer some advice... :-) Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV w81q6a0R1km8GbjxGTcZFng= =sOls -END PGP SIGNATURE- i've only got 20 or so servers to deal with but i know what you mean. i use a shell script to create system backups, i added an option to it todo an aide backup which basically consists of 'tar -cvpWf aide.$date.tar /var/lib/aide/aide.db /etc/aide/aide.conf /usr/bin/aide /var/cache/apt/archives/aide_*.deb' then scp that to a backup server where it goes through my normal process, except these files never get deleted from disk/tape. so i can always go back and see what happened if needed. i also like to keep a separate mbox for each server where i can save all the interesting logcheck, aide, etc output. as far as keeping things small, i usually just do a aide --update the day after i've made any changes, i go through the output to make sure the only changes are what i expected. hope this helps pgpgJcT2inL09.pgp Description: PGP signature
Re: AIDE Information Overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. ... I use aide on several machines but it is not really usefull on for example a Debian/unstable machine or a machine that has a lot of changing files where aide is used to inspect development files. The approach I take is that when aide reports some changes I check that the changes are normal, optionally change aide.conf if the changes are regular and appropriate. After that I regenerate the database and save it as aide.db.mmdd and provide a symlink to aide.db. Apart from that I also use tools like debsums to keep me informed of integrity (although a lot of packages don't provide all or correct md5sums) (maybe I should file some bugreports for wrong md5sums) - -- arthur - [EMAIL PROTECTED] - http://tiefighter.et.tudelft.nl/~arthur -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9tWUfVYan35+NCKcRAvTEAJ0SUrVSNwRgo2bgGmK5ea12Yb6OdQCfXfq5 JiY7Y3OOzlClgLBqwb8bAcg= =zYNE -END PGP SIGNATURE-
Re: AIDE Information Overload
Arthur de Jong [EMAIL PROTECTED] writes: On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote: I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. I use aide on several machines but it is not really usefull on for example a Debian/unstable machine or a machine that has a lot of changing files where aide is used to inspect development files. I use it here on a basically Testing box - I've just automated the daily upgrade process so that it re-runs aide immediately after the dist-upgrade. That way I get all changes to important bits of the filesystem since the last package upgrade every day in the mail. (It's partly a matter of policy to use this script rather than wedging things by hand.) #!/bin/sh PATH=/sbin:/usr/sbin:/bin:/usr/bin ; export PATH apt-get update chmod -R og=rX /var/lib/apt/lists /var/cache/apt/archives nice apt-get -u dist-upgrade echo echo All done. Now running AIDE echo cd /var/lib/aide nice nice aide -i mv aide.db.new aide.db echo Cool echo ~Tim -- http://spodzone.org.uk/
Re: AIDE Information Overload
On Tue, 22 Oct 2002, Arthur de Jong wrote: Apart from that I also use tools like debsums to keep me informed of integrity (although a lot of packages don't provide all or correct md5sums) (maybe I should file some bugreports for wrong md5sums) you also might want to checkout tiger, it will run debsums and it can check your currently installed packages for security advisories as well as a few other general security checks. although i've never seen an email about security advisories, so i'm either missing something or really quick to update i like the idea of bugreports for missing md5sums, a few i'd really like to see are sysvinit, bash, dpkg(?) pgp5vm8ANgd27.pgp Description: PGP signature
Re: AIDE Information Overload
Hi all, I'm not providing an answer, but rather asking another question on this topic. Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? Under normal system use, certain files do change (e.g. /etc/mtab, /dev/tty*). Including these files in the integrity checker's database will certainly produce spurious warning about file modification each time the checker is run. So what files are safe to exclude? Is it really necessary to check for modifications to /usr/share/doc/* ? I've used tripwire but haven't used aide, so if aide automatically handles changeable system files this is a moot question. Dion. -- Dion's Maxim: If you are ever surprised at just how stupid people can be, then you haven't understood Dion's Maxim.
Re: AIDE Information Overload
[EMAIL PROTECTED] (Dion Mendel) writes: I'm not providing an answer, but rather asking another question on this topic. Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? Under normal system use, certain files do change (e.g. /etc/mtab, That does? Maybe on your box if you're [u]mounting things a lot, I suppose, but that's not always the case. If it causes you hassle, ignore it by all means :8) /dev/tty*). Including these files in the integrity checker's database will certainly produce spurious warning about file modification each time the checker is run. So what files are safe to exclude? Is it really necessary to check for modifications to /usr/share/doc/* ? I would say that it's possible a file could be created in any of those directories (c.f. where various trojans and worms and kits put their files by default - /dev/.lib/, /usr/lib/ and so on), therefore it should be checked. Run aide frequently and keep the number of files changed down by refreshing the database every thing you dist-upgrade; also, get used to what it tells you - e.g. /dev/console and a few others changing is indicative of a reboot, you soon get used to identifying that. I've compromised on avoiding checking all of: | zsh/scr, potato 5:06PM # grep '^!' /etc/aide/aide.conf | !/var/log/snort | !/dev/pts | !/var/run | !/home but anything else is most definitely being checked, with various combinations of options as per the default config file. I've used tripwire but haven't used aide, so if aide automatically handles changeable system files this is a moot question. It handles them if you set it up properly ;8) ~Tim -- http://spodzone.org.uk/
Re: AIDE Information Overload
On Tue, Oct 22, 2002 at 11:36:06PM +0800, Dion Mendel wrote: Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? I don't typically exclude many files, but I often limit the changes that tripwire notifies me about. For example, if one of my users changes their password, I don't need to know that the md5 checksum of /etc/shadow has changed. However, if the link count, ownership, or permissions of /etc/shadow change, I want to know about it. Configuring tripwire is fairly easy for this type of thing. I'll happily share bits of my policy file if you want. I have very little experience with AIDE, so I don't know if it's possible to do this type of thing with it. I installed it for a short while and found it unpleasant to work with. I found tripwire to be superior, and contarary to popular belief, it is at least as free as AIDE. See www.tripwire.org. And note that this is not the same tripwire that shipped with potato. That version was ancient and slow and bad. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpdgNEHBaFA6.pgp Description: PGP signature
