Re: aide, apt-get and remote management...

To: DI Peter Burgstaller <peter.burgstaller@ains.at>
Cc: debian-security <debian-security@lists.debian.org>
Subject: Re: aide, apt-get and remote management...
From: lupe@lupe-christoph.de (Lupe Christoph)
Date: Fri, 12 Dec 2003 07:46:38 +0100
Message-id: <[🔎] 20031212064638.GA24762@lupe-christoph.de>
In-reply-to: <[🔎] 60121DAE-2BCF-11D8-9A74-0030656C7FE8@ains.at>
References: <[🔎] 1071102350.1453.218.camel@liberate.imissjerry.org> <[🔎] 87ad60ou8i.fsf@lorien.concordia.ca> <[🔎] 60121DAE-2BCF-11D8-9A74-0030656C7FE8@ains.at>

Hello!

We don't use AIDE exclusively at a client site, but in combination
with Tripwire.  We think tripwire is a little more secure becuse it
uses signed databases. So we protect aide.db with Tripwire. AIDE is
used for the parts tripwire can't do because of it's limited
configurability.

Here is an AIDE policy we use at the client site:
------------------------------------------------------------------------
=/root$ StaticDir
/root/.bash_history Databases
/root/.ncftp/prefs ConfFiles
/root/.ncftp/firewall ConfFiles
/root/.ncftp/prefs_v3 ConfFiles
/root/.ncftp Databases
/root/.razor/razor-agent.conf ConfFiles
/root/.razor/ Databases
/root/.spamassassin Databases
/root/.viminfo Databases
/root/ ConfFiles

/etc$ StaticDir
/etc/ntp.drift Databases
/etc/ ConfFiles

/dev$ StaticDir
/dev/ Databases
=/dev/pts$ StaticDir
!/dev/pts/

/var/run$ StaticDir
/var/run/ Databases

=/etc/tripwire$			R-tiger-rmd160-sha1
/etc/tripwire/pinot-local.key	R
/etc/tripwire/site.key		R
/etc/tripwire/tw.cfg		R
/etc/tripwire/twcfg.txt		R
/etc/tripwire/twpol.txt		E+p+n+u+g
/etc/tripwire/tw.pol		E+p+n+u+g
/etc/tripwire/tw.pol.bak	E+p+n+u+g
------------------------------------------------------------------------

This is the twpol.txt:
------------------------------------------------------------------------
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
  rulename = "Critical system boot files",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
	/boot			-> $(SEC_CRIT) ;
	/lib/modules		-> $(SEC_CRIT) ;
}
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
	/bin			-> $(SEC_BIN) ;
	/sbin			-> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
	/lib			-> $(SEC_BIN) ;
}
#
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
	/var/lock		-> $(SEC_CONFIG) ;
#	/var/run		-> $(SEC_CONFIG) ; # daemon PIDs
#	/var/log		-> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
	/dev			-> $(Device) ;
	!/dev/pts ;
#	/proc			-> $(Device) ;
	/proc/bus		-> $(Device) ;
	/proc/cmdline		-> $(Device) ;
	/proc/cpuinfo		-> $(Device) ;
	/proc/devices		-> $(Device) ;
	/proc/dma		-> $(Device) ;
	/proc/driver		-> $(Device) ;
	/proc/execdomains	-> $(Device) ;
	/proc/fb		-> $(Device) ;
	/proc/filesystems	-> $(Device) ;
	/proc/fs		-> $(Device) ;
	/proc/ide		-> $(Device) ;
	/proc/interrupts	-> $(Device) ;
	/proc/iomem		-> $(Device) ;
	/proc/ioports		-> $(Device) ;
	/proc/irq		-> $(Device) ;
	/proc/kcore		-> $(Device) ;
	/proc/kmsg		-> $(Device) ;
	/proc/ksyms		-> $(Device) ;
	/proc/loadavg		-> $(Device) ;
	/proc/locks		-> $(Device) ;
	/proc/mdstat		-> $(Device) ;
	/proc/meminfo		-> $(Device) ;
	/proc/misc		-> $(Device) ;
	/proc/modules		-> $(Device) ;
	/proc/mounts		-> $(Device) ;
	/proc/mtrr		-> $(Device) ;
	/proc/net		-> $(Device) ;
	/proc/partitions	-> $(Device) ;
	/proc/pci		-> $(Device) ;
	/proc/self		-> $(Device) ;
	/proc/slabinfo		-> $(Device) ;
	/proc/stat		-> $(Device) ;
	/proc/swaps		-> $(Device) ;
	/proc/sys		-> $(Device) ;
	/proc/sysvipc		-> $(Device) ;
	/proc/tty		-> $(Device) ;
	/proc/uptime		-> $(Device) ;
	/proc/version		-> $(Device) ;
}
#
# Binaries
#
(
  rulename = "Other binaries",
  severity = $(SIG_MED),
  emailto  = "tripwire-reports"
)
{
	/usr/local/sbin	-> $(SEC_BIN) ;
	/usr/local/bin	-> $(SEC_BIN) ;
	/usr/sbin	-> $(SEC_BIN) ;
	/usr/bin	-> $(SEC_BIN) ;
}
#
# Libraries
#
(
  rulename = "Other libraries",
  severity = $(SIG_MED),
  emailto  = "tripwire-reports"
)
{
	/usr/local/lib	-> $(SEC_BIN) ;
	/usr/lib	-> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED),
  emailto  = "tripwire-reports"
)
{
	/		-> $(SEC_INVARIANT) (recurse = 0) ;
	/home		-> $(SEC_INVARIANT) (recurse = 0) ;
	/tmp		-> $(SEC_INVARIANT) (recurse = 0) ;
	/usr		-> $(SEC_INVARIANT) (recurse = 0) ;
	/var		-> $(SEC_INVARIANT) (recurse = 0) ;
	/var/tmp	-> $(SEC_INVARIANT) (recurse = 0) ;
}
(
  rulename = "AIDE /etc/aide/ & /var/db/aide/",
  severity = $(SIG_HI),
  emailto  = "tripwire-reports"
)
{
  /etc/aide				-> $(SEC_INVARIANT) (recurse = false) ;
  /etc/aide/aide.conf			-> $(SEC_CRIT) ;
  /var/lib/aide				-> $(SEC_INVARIANT) (recurse = false) ;
  /var/lib/aide/aide.db			-> $(SEC_CRIT) ;
}

-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |

Reply to:

Follow-Ups:
- Re: aide, apt-get and remote management...
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>

References:
- aide, apt-get and remote management...
  - From: "Douglas F. Calvert" <douglist@anize.org>
- Re: aide, apt-get and remote management...
  - From: Peter Solodov <peter@alcor.concordia.ca>
- Re: aide, apt-get and remote management...
  - From: DI Peter Burgstaller <peter.burgstaller@ains.at>

Prev by Date: Re: aide, apt-get and remote management...
Next by Date: Re: aide, apt-get and remote management...
Previous by thread: Re: aide, apt-get and remote management...
Next by thread: Re: aide, apt-get and remote management...
Index(es):
- Date
- Thread